iShutdown Scripts Expose Spyware on Compromised Apple Devices

by | Jan 18, 2024 | News

iShutdown Scripts Expose Spyware on Compromised Apple Devices

Post Views: 1,272




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

Security researchers have identified a method to detect high-profile spyware infections, including Pegasus, Reign, and Predator, on compromised Apple mobile devices. Kaspersky has introduced 3 Python scripts, collectively known as iShutdown, to automate the analysis of the Shutdown.log system log file, where digital forensic artifacts of malware infections can be found.

The Shutdown.log file, which records reboot events, becomes a crucial source for identifying infections that impact device reboot due to process injection and manipulation performed by the malware. This method offers a more accessible analysis compared to traditional techniques like examining encrypted iOS backups or network traffic.

Kaspersky’s iShutdown scripts consist of three components:

  1. iShutdown_detect.py: Analyzes the Sysdiagnose archive containing the log file.
  2. iShutdown_parse.py: Extracts Shutdown.log artifacts from the tar archive.
  3. iShutdown_stats.py: Extracts reboot statistics from the log file.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

To utilize these scripts, Kaspersky recommends restarting the infected device frequently, as the Shutdown.log file can only register data with signs of infection after a reboot following compromise.

While the GitHub repository provides instructions and example outputs, users are advised to have some familiarity with Python, iOS, terminal output, and malware indicators to properly evaluate the results.

Output highlighting processes delaying the reboot process in redOutput highlighting processes delaying the reboot process (Kaspersky)

The method, initially used to analyze iPhones infected with Pegasus spyware, has shown consistency in behavior across other Pegasus infections, confirming its reliability as a forensic artifact. However, the researchers note that the method may fail if the user doesn’t reboot the device on the day of infection.

Trending: Human Intelligence is the best defense against Phishing Attacks




Trending: Offensive Security Tool: msoffcrypto-tool

Notably, Kaspersky researchers observed log anomalies, such as delayed reboots, which could be indicative of a spyware-related process. Excessive delays, more than four, are considered suspicious and warrant investigation.

During testing on an iPhone infected with Reign spyware, the researchers found similarities in the execution path with Pegasus, reinforcing the belief that the log file can help identify infections by these malware families. This method, though dependent on frequent device reboots, represents a significant step in enhancing the detection capabilities for spyware threats on Apple devices.

Trending: SpectralBlur: The New macOS Backdoor Linked to North Korean Threat Actors

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This