Kaspersky researchers provide in-depth analysis of the TriangleDB spyware implant used in the Operation Triangulation campaign, targeting iOS devices via iMessage. The implant operates in device memory, ensuring stealth and erasing evidence upon reboot, necessitating reinfection for continued surveillance.
KUALA LUMPUR, 27 Jun 2023 – Kaspersky, a leading global cybersecurity company, has unveiled crucial insights into the spyware implant utilized in the Operation Triangulation campaign that specifically targets iOS devices. Known as TriangleDB, this covert implant enables attackers to conduct surveillance undetected, operating solely in the device’s memory and erasing all evidence upon reboot.
Following an extensive six-month investigation, Kaspersky researchers have published an in-depth analysis of the exploitation chain employed in the campaign, shedding light on the spyware implant operation. TriangleDB, deployed through the exploitation of a kernel vulnerability, gains root privileges on the targeted iOS device. By operating solely in device memory, traces of the infection vanish upon reboot, necessitating reinfection through another iMessage with a malicious attachment if the victim restarts their device. However, if no reboot occurs, the implant automatically uninstalls after 30 days, unless the attackers extend this period. TriangleDB functions as a sophisticated spyware, capable of extensive data collection and monitoring.
The implant comprises 24 commands, serving various purposes such as file system interaction (creation, modification, exfiltration, and removal), process management (listing and termination), extraction of keychain items to gather victim credentials, and geolocation monitoring, among others.
During the analysis of TriangleDB, Kaspersky experts made an intriguing discovery, identifying an unused method called populateWithFieldsMacOSOnly in the CRConfig class. Although not utilized in the iOS implant, its presence suggests the possibility of a similar implant targeting macOS devices.
Georgy Kucherin, a security expert at Kaspersky Global Research and Analysis Team (GReAT), commented, “As we delved into the attack, we discovered a sophisticated iOS implant that displayed numerous intriguing oddities. We continue analyzing the campaign and will keep everyone updated with further insights into this sophisticated attack. We call upon the cybersecurity community to unite, share knowledge, and collaborate to gain a clearer picture of the threats out there.”
To assist users in identifying malware infections, Kaspersky researchers have released a special utility called ‘triangle_check,’ which automatically searches for the presence of the spyware implant. For a detailed guide on how to check devices, please refer to the accompanying blog post.
To safeguard against targeted attacks by known or unknown threat actors, Kaspersky researchers recommend implementing the following measures:
- Utilize a reliable security solution such as Kaspersky Unified Monitoring and Analysis Platform (KUMA) for endpoint-level detection, investigation, and timely incident remediation.
- Regularly update the Microsoft Windows OS and third-party software to ensure the latest security patches are applied promptly.
- Provide your Security Operations Center (SOC) team with access to the latest threat intelligence (TI) through Kaspersky Threat Intelligence, a comprehensive platform offering cyberattack data and insights accumulated by Kaspersky over 20 years.
- Enhance the skills of your cybersecurity team to effectively combat the latest targeted threats through Kaspersky’s online training programs developed by GReAT experts.
- Implement security awareness training to educate your team on phishing and social engineering techniques, utilizing platforms like the Kaspersky Automated Security Awareness Platform.