Operation Triangulation: A mobile APT campaign targeting iOS

The malware involved in the campaign, called TriangleDB by Kaspersky, is a backdoor that targets iOS and remains active for 30 days before automatically uninstalling itself unless the attackers extend its lifespan.

Kaspersky analyzed TriangleDB, a spyware component used in Operation Triangulationhttps://t.co/lVn2bC6qhd pic.twitter.com/675rgBJGNw

— Oleg Shakirov (@shakirov2036) June 21, 2023

What is Operation Triangulation?

During the monitoring of the corporate WiFi network using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), a discovery was made by Kaspersky. An ongoing targeted mobile attack campaign called “Operation Triangulation” specifically targets iOS devices. 

This campaign utilizes zero-click exploits through the iMessage platform, allowing the attackers to gain complete control over the device and user data.

How does it work?

The implantation of TriangleDB occurs after 

• the attackers exploit kernel vulnerabilities to obtain root privileges on the targeted iOS device. 

Source: Security online

• It is deployed in memory, meaning all malware traces are lost upon device reboot.
• if the victim restarts their device, the attackers must reinfect it by sending a malicious iMessage attachment, re-initiating the exploitation process.

Attack chain analysis

The attack chain of Operation Triangulation relies on 

• invisible iMessages containing malicious attachments that exploit multiple vulnerabilities in the iOS operating system. 

• Once executed on a device, the spyware is installed without the user’s knowledge or action. 

“TriangleDB, written in Objective-C, serves as the core framework of this covert operation. It establishes encrypted connections with a command-and-control server, periodically sending heartbeat beacons with device metadata.”

Source: Securelist

• In response to the heartbeat messages, the server sends one of 24 commands enabling the dumping of iCloud Keychain data and loading additional Mach-O modules in memory for harvesting sensitive information. 

• This includes file contents, geolocation, installed iOS applications, running processes, and more. The attack concludes by erasing the initial message to cover the tracks.

Technical analysis

Upon closer examination of the source code, some peculiar aspects have been identified. 

• The malware authors refer to string decryption as “unmunging” and assign file-related names from database terminology, such as “record,” to various elements like processes (schema), the command-and-control server (DB Server), and geolocation information (DB Status). 

• Another interesting discovery is a routine named “populateWithFieldsMacOSOnly,” even though it is not called in the iOS implant. This naming convention raises the possibility that TriangleDB might also be weaponized to target macOS devices.

Source: Securelist

• The implant requests multiple entitlements (permissions) from the operating system, some of which are not utilized in the code, such as camera, microphone, address book access and Bluetooth interaction. This suggests that the functionalities granted by these entitlements may be implemented in separate modules.

What might be the objective?

The campaign’s ultimate objectives and the perpetrators’ identities remain unknown. Apple has denied any collaboration with governments to insert backdoors into their products. 

However, the Russian government has accused the U.S. of hacking “several thousand” Apple devices belonging to domestic subscribers and foreign diplomats, claiming it to be a reconnaissance operation.

Forward thoughts

Operation Triangulation has been in the process since 2019, and Kaspersky is constantly struggling to find new reveals this attack chain has on iOS. The campaign is a reminder of the constant need for vigilance regarding cyber security. Stay informed!