More details have emerged regarding the spyware implant used in Operation Triangulation, a campaign targeting iOS devices. Kaspersky, the cybersecurity company that discovered the operation, has codenamed the backdoor TriangleDB. The malware has a lifespan of 30 days, after which it automatically uninstalls unless the attackers extend the time period.
According to Kaspersky researchers, the implant is deployed after the attackers exploit a kernel vulnerability to gain root privileges on the target iOS device. It operates in memory, leaving no traces when the device is rebooted. This means that if the victim restarts their device, the attackers must reinfect it by sending an iMessage with a malicious attachment, initiating the entire exploitation chain once again.
Operation Triangulation relies on zero-click exploits through the iMessage platform, granting the spyware complete control over the device and user data. The attack involves an invisible iMessage with a malicious attachment, which exploits vulnerabilities in the iOS operating system to install the spyware without user interaction.
TriangleDB, written in Objective-C, forms the core of the covert framework. It establishes encrypted connections with a command-and-control (C2) server and periodically sends heartbeat beacons containing device metadata. In response, the server sends one of 24 commands that allow the extraction of iCloud Keychain data and loading of additional Mach-O modules to collect sensitive information.
This includes file contents, geolocation, installed iOS applications, running processes, and more. The attack chain concludes by erasing the initial message to cover up the tracks. Examination of the source code reveals unusual aspects, such as referring to string decryption as “unmunging” and using database terminology for files, processes, the C2 server, and geolocation information.
There is also a routine named “populateWithFieldsMacOSOnly,” which is not called in the iOS implant but suggests the possibility of TriangleDB being used to target macOS devices as well. The implant requests various entitlements (permissions) from the operating system, some of which are not utilized in the code, implying potential implementation in modules.
The campaign’s origin and ultimate objectives remain unknown. Apple has previously stated that it has never worked with any government to insert a backdoor into its products and never will. The Russian government, however, has accused the U.S. of breaching thousands of Apple devices belonging to both domestic subscribers and foreign diplomats in what it claims was a reconnaissance operation.
For more exclusive content and articles, follow us on Twitter and Telegram. Stay informed and protected from emerging threats.
