Experts Uncover New Revelations about Operation Triangulation

    Kaspersky Uncovers the TriangleDB Implant Targeting iOS

    Kaspersky recently unearthed the TriangleDB implant targeting Apple iOS devices. This implant features four distinct modules, each serving a specific purpose.

    Modules and Their Functions
    The modules actively record audio using the device’s microphone, pull data from the iCloud Keychain, steal information from SQLite databases in various apps, and determine the victim’s location.

    Unraveling Operation Triangulation
    Kaspersky’s team discovered this while investigating “Operation Triangulation.” This campaign aimed to secretly extract sensitive data from compromised devices, ensuring its activities remained concealed.

    Exploiting iOS Vulnerabilities
    In June 2023, revelations showed that attackers had targeted iOS devices with a zero-click exploit. They took advantage of two zero-day security flaws in the iMessage platform, CVE-2023-32434 and CVE-2023-32435. By exploiting these vulnerabilities, the attackers could seize complete control over the device and its data.

    Identifying the Threat Actor
    While the identity of the threat actor remains elusive, Kaspersky itself became a target, prompting a deep dive into this advanced persistent threat (APT) platform. The attack’s core component is a backdoor named TriangleDB. The attackers deploy this backdoor after gaining root privileges on an iOS device by exploiting the CVE-2023-32434 kernel vulnerability.

    Implant Deployment Process
    Kaspersky’s analysis indicates that the implant’s deployment undergoes two validator stages: the JavaScript Validator and the Binary Validator. The validators check if the target device belongs to a research environment. They send the gathered information to a command-and-control (C2) server for review. This strategy ensures that the implant doesn’t deploy on research devices, protecting the zero-day exploits and the implant.

    Deep Dive into the Attack Chain
    The attack starts with an undetectable iMessage attachment, activating a zero-click exploit chain. This exploit chain launches a specific URL containing hidden JavaScript and an encrypted payload. The payload carries the JavaScript validator, which collects device information and sends it to a remote server. This server then dispatches the next-stage malware.

    Binary Validator and Its Actions
    Upon delivery of the next-stage malware, the Binary Validator, a Mach-O binary file, springs into action. It clears crash logs to wipe out exploitation traces, removes malicious iMessage attachments, gathers details about the device and its apps, and sends the encrypted results to the C2 server.

    Backdoor’s Communication with the C2 Server
    The backdoor establishes a line of communication with the C2 server, sending regular heartbeats. The server sends back commands to erase crash logs and database files, obfuscating any evidence. The implant also sends files containing location, iCloud Keychain, SQL-related data, and recorded audio at regular intervals.

    Adversary’s Stealth Techniques
    Interestingly, the implant’s microphone-recording module stops recording when the device screen lights up to remain undetected. Without GPS data, the location-monitoring module uses GSM data to estimate the victim’s whereabouts.

    Researchers concluded, “The Triangulation adversary took meticulous steps to remain undetected. Their in-depth knowledge of iOS internals became evident as they utilized private undocumented APIs during the attack.”

    Latest articles

    Related articles