In June 2023 [1] [2], Kaspersky discovered Operation Triangulation, a sophisticated attack campaign targeting Apple iOS devices through iMessage. This campaign utilized a zero-click exploit and a backdoor called TriangleDB to infiltrate devices undetected.

Description

Operation Triangulation exploited two zero-day vulnerabilities in the iMessage platform, allowing malicious attachments to gain complete control over targeted devices [8]. The TriangleDB backdoor [8], deployed after exploiting a kernel vulnerability [4] [7], accessed data from the iPhone’s Keychain and SQLite databases [6]. It also tracked the device’s location using GSM and GPS [6].

To protect its zero-day exploits [8], the implant employed JavaScript and Binary Validators [8]. The payload included a JavaScript validator that performed browser fingerprinting using canvas fingerprinting [8]. Additionally, a Binary Validator erased traces of exploitation and retrieved device information [8].

The implant communicated with a command-and-control server [4] [5] [7], receiving instructions and periodically exfiltrating files containing location and microphone-recorded data [7]. The microphone-recording module suspended recording when the device screen was turned on to avoid detection [1] [2], while the location-monitoring module used GSM data to triangulate the victim’s location when GPS data was unavailable [1] [2] [4].

Despite Kaspersky’s discovery of the TriangleDB implant, the identity of the threat actor behind Operation Triangulation remains unknown. Concerns persist about the malware’s capabilities [6], and there are indications that macOS may also be a target [6]. This campaign employed sophisticated tactics to conceal the adversary’s activities.

Conclusion

The discovery of the TriangleDB implant sheds light on its various modules, including the ability to record microphone audio, extract iCloud Keychain data [2] [3] [4] [7] [8], steal information from SQLite databases [1] [2] [3] [4] [7] [8], and estimate the victim’s location [1] [2] [3] [4] [7]. The impact of Operation Triangulation and the potential targeting of macOS raise concerns about the security of Apple devices. Mitigations and future implications should be considered to prevent similar attacks in the future.

References

[1] https://www.gamingdeputy.com/kaspersky-lab-experts-revealed-details-of-attacks-on-ios-devices/
[2] https://www.redpacketsecurity.com/ios-zero-day-attacks-experts-uncover-deeper-insights-into-operation-triangulation/
[3] https://cyber.vumetric.com/security-news/2023/10/24/ios-zero-day-attacks-experts-uncover-deeper-insights-into-operation-triangulation/
[4] https://thehackernews.com/2023/10/operation-triangulation-experts-uncover.html
[5] https://www.computerweekly.com/news/366556873/Kaspersky-opens-up-over-spyware-campaign-targeting-its-staffers
[6] https://stackdiary.com/iphone-spyware-secretly-recorded-users-through-microphone/
[7] https://vulners.com/thn/THN:25B24AFA7BC325E53076C8A0F5B14A47
[8] https://cybermaterial.com/deeper-insights-into-ios-zero-day-attacks/