New Report Exposes Operation Triangulation’s Spyware Implant Targeting iOS Devices

Additional information has been revealed regarding the spyware implant associated with a campaign named Operation Triangulation, particularly targeting iOS devices.

Kaspersky, a cybersecurity firm that became one of the campaign’s targets earlier this year, has provided further insights. They discovered that the malware has a specific lifespan of 30 days, after which it is automatically uninstalled unless the attackers extend the duration.

Kaspersky has given the backdoor a codename, referring to it as TriangleDB.

According to researchers at Kaspersky, the implant is deployed once the attackers successfully acquire root privileges on the targeted iOS device by exploiting a vulnerability within the device’s kernel. This exploit serves as the entry point for installing the spyware. The findings were detailed in a recent report published by Kaspersky.

The spyware implant used in Operation Triangulation operates in memory, meaning that all traces of the implant are lost when the device is rebooted. Consequently, if the victim restarts their device, the attackers must reinfect it by sending an iMessage containing a malicious attachment. This restarts the entire exploitation chain.

The operation utilizes zero-click exploits through the iMessage platform, enabling the spyware to gain complete control over the targeted device and user data without requiring any action from the user.

Eugene Kaspersky, CEO of Kaspersky, explained that the attack involves an invisible iMessage carrying a malicious attachment. By exploiting multiple vulnerabilities within the iOS operating system, this attachment is executed on the device, resulting in the installation of the spyware.

At the core of this covert framework is TriangleDB, written in Objective-C. It serves as a vital component responsible for establishing encrypted connections with a command-and-control (C2) server. It periodically sends a heartbeat beacon containing device metadata to the server.

In response to these heartbeat messages, the server sends one of 24 commands. These commands enable the dumping of iCloud Keychain data and the loading of additional Mach-O modules into memory to extract sensitive information. This includes various types of data such as file contents, geolocation, installed iOS applications, and running processes. The attack chains conclude with the erasure of the initial message, covering up any evidence of the attack.

Upon closer examination of the source code, some interesting findings have emerged regarding the malware used in Operation Triangulation. The malware authors refer to string decryption as “unmunging” and use names associated with database terminology for files (record), processes (schema), the command-and-control (C2) server (DB Server), and geolocation information (DB Status).

Another noteworthy discovery is the presence of the routine “populateWithFieldsMacOSOnly.” Although this method is not called within the iOS implant, the naming convention suggests the possibility that TriangleDB could be potentially utilized to target macOS devices as well.

The implant requests various entitlements or permissions from the operating system, as noted by Kaspersky researchers. Some of these entitlements, such as access to the camera, microphone, address book, and Bluetooth interaction, are not utilized in the code. This indicates that functionalities granted by these entitlements could potentially be implemented in separate modules.

The identity of the actors behind the campaign and their ultimate objectives remain unknown. Apple has previously stated that it has never collaborated with any government to insert backdoors into its products and has no intention to do so.

On the other hand, the Russian government has accused the United States of breaking into thousands of Apple devices belonging to both domestic subscribers and foreign diplomats. They claim this operation was conducted as a reconnaissance effort.