The TriangleDB implant used to target Apple iOS devices packs in at least four different modules to record microphone, extract iCloud Keychain, steal data from SQLite databases used by various apps, and estimate the victim's location.
The findings come from Kaspersky, which detailed the great lengths the adversary behind the campaign, dubbed Operation Triangulation, went to conceal and cover up its tracks while clandestinely hoovering sensitive information from the compromised devices.
The sophisticated attack first came to light in June 2023, when it emerged that iOS have been targeted by a zero-click exploit weaponizing then zero-day security flaws (CVE-2023-32434 and CVE-2023-32435) that leverages the iMessage platform to deliver a malicious attachment that can gain complete control over the device and user data.
The scale and the identity of the threat actor is presently unknown, although Kaspersky itself became one of the targets at the start of the year, prompting it to investigate the various components of what it said in a fully-featured advanced persistent threat (APT) platform.
The core of the attack framework constitutes a backdoor called TriangleDB that's deployed after the attackers obtain root privileges on the target iOS device by exploiting CVE-2023-32434, a kernel vulnerability that could be abused to execute arbitrary code.
Now, according to the Russian cybersecurity company, the deployment of the implant is preceded by two validator stages, namely JavaScript Validator and Binary Validator, that are executed to determine if the target device is not associated with a research environment.
"These validators collect various information about the victim device and send it to the C2 server," Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Valentin Pashkov said in a technical report published Monday.
"This information is then used to assess if the iPhone or iPad to be implanted with TriangleDB could be a research device. By performing such checks, attackers can make sure that their zero-day exploits and the implant do not get burned."
By way of background: The starting point of the attack chain is an invisible iMessage attachment that a victim receives, which triggers a zero-click exploit chain designed to stealthily open a unique URL containing obfuscated JavaScript as well as an encrypted payload.
The payload is the JavaScript validator that, besides conducting various arithmetic operations and checking for the presence of Media Source API and WebAssembly, performs a browser fingerprinting technique called canvas fingerprinting by drawing a yellow triangle on a pink background with WebGL and calculating its checksum.
The information collected following this step is transmitted to a remote server in order to receive, in return, an unknown next-stage malware. Also delivered after a series of undetermined steps is a Binary Validator, a Mach-O binary file that carries out the below operations -
- Remove crash logs from the /private/var/mobile/Library/Logs/CrashReporter directory to erase traces of possible exploitation
- Delete evidence of the malicious iMessage attachment sent from 36 different attacker-controlled Gmail, Outlook, and Yahoo email addresses
- Obtain a list of processes running on the device and the network interfaces
- Check if the target device is jailbroken
- Turn on personalized ad tracking
- Gather information about the device (username, phone number, IMEI, and Apple ID), and
- Retrieve a list of installed apps
"What is interesting about these actions is that the validator implements them both for iOS and macOS systems," the researchers said, adding the results of the aforementioned actions are encrypted and exfiltrated to a command-and-control (C2) server to fetch the TriangleDB implant.
One of the very first steps taken by the backdoor is to establish communication with the C2 server and send a heartbeat, subsequently receiving commands that delete crash log and database files to cover up the forensic trail and hamper analysis.
Also issued to the implant are instructions to periodically exfiltrate files from the /private/var/tmp directory that contain location, iCloud Keychain, SQL-related, and microphone-recorded data.
A notable feature of the microphone-recording module is its ability to suspend recording when the device screen is turned on, indicating the threat actor's intention to fly under the radar.
What's more, the location-monitoring module is orchestrated to use GSM data, such as mobile country code (MCC), mobile network code (MNC), and location area code (LAC), to triangulate the victim's location when GPS data is not available.
"The adversary behind Triangulation took great care to avoid detection," the researchers said. "The attackers also showed a great understanding of iOS internals, as they used private undocumented APIs in the course of the attack."
Gloss