October 24, 2023 at 03:03PM
Kaspersky has released a report detailing the iOS zero-click attacks it suffered. Dubbed ‘Operation Triangulation’, the attacks used malicious iMessage attachments to exploit a zero-day vulnerability and deploy spyware named TriangleDB. The attackers implemented stealth techniques to avoid detection, including using two validators to collect device information and ensure the code wasn’t executed on research environments. The spyware contained a microphone-recording module and other capabilities for exfiltrating data and monitoring locations. Kaspersky concluded that the attackers took great care to avoid detection.
From the meeting notes, it is clear that Kaspersky has released a report on the iOS zero-click attacks that targeted their senior employees. The attacks, known as ‘Operation Triangulation’, used malicious iMessage attachments to exploit a remote code execution vulnerability and deploy a spyware implant called TriangleDB. Apple released patches for the vulnerability in June.
The attacks were disclosed on the same day that Russia’s Federal Security Service blamed US intelligence agencies for a spy campaign targeting iOS devices belonging to diplomats.
Kaspersky’s report details the stealth techniques used in Operation Triangulation. Before deploying the TriangleDB implant, two validators were used to collect device information and ensure the code was not executed in research environments.
The first validator, an invisible iMessage attachment, silently opens an HTML page containing obfuscated JavaScript code. This code performs checks and fingerprinting, sends collected information to a remote server, and waits for the next stage.
The second validator, a Mach-O binary file, removes traces of the malicious iMessage attachment, checks for jailbreak status, collects user information, and enables personalized ad tracking. It implements these actions for both iOS and macOS and sends the data to a command-and-control server, which responds with the TriangleDB implant.
The implant searches for crash log and database files containing traces of the attachment and deletes them. It also includes a microphone-recording module, a keychain exfiltration module, SQLite database stealing capabilities, and a location-monitoring module.
Kaspersky concludes that the attackers took great care to avoid detection, using two validators to prevent delivery to security researchers and adjusting the microphone recording to stop when the screen is being used.