October 24, 2023 at 05:45AM
The TriangleDB implant used in Operation Triangulation targets Apple iOS devices. It includes modules to record audio, steal data from apps, and determine the victim’s location. The attack utilizes zero-click exploits through iMessage attachments and employs various validators to avoid being detected. The identity of the threat actor remains unknown, but the attack is considered sophisticated and highly advanced.
Key Takeaways from Meeting Notes:
– The TriangleDB implant used to target Apple iOS devices consists of four modules: recording microphone, extracting iCloud Keychain, stealing data from SQLite databases, and estimating victim’s location.
– Kaspersky named the campaign behind the attack “Operation Triangulation” and highlighted the extensive efforts made by the threat actor to conceal its activities.
– The attack was initially discovered in June 2023 when it was found that iOS devices were targeted using zero-click exploits.
– The scale and identity of the threat actor remain unknown, but Kaspersky itself became a target and conducted investigations.
– The attack framework includes a backdoor named TriangleDB, which is deployed after the attacker gains root privileges on the target device through a kernel vulnerability.
– The deployment of the implant involves two validator stages: JavaScript Validator and Binary Validator, which collect information about the victim device and assess if it is a research device.
– The attack chain starts with an invisible iMessage attachment, triggering a zero-click exploit chain that includes browser fingerprinting.
– The Binary Validator performs various operations, including removing crash logs, deleting evidence of the malicious attachment, checking if the device is jailbroken, and gathering device and app information.
– The TriangleDB implant communicates with a command-and-control server and receives instructions to delete files, exfiltrate data, and periodically send a heartbeat.
– The microphone-recording module suspends recording when the device screen is turned on to avoid suspicion.
– The location-monitoring module uses GSM data to triangulate the victim’s location when GPS data is unavailable.
– The threat actor demonstrated a high level of sophistication and understanding of iOS internals by using private undocumented APIs.
Note: These takeaways provide a summary of the main points discussed in the meeting notes.