The TriangleDB implant, designed for infiltrating Apple iOS devices, incorporates four distinct modules: one for capturing audio from the device’s microphone, another for extracting data from the iCloud Keychain, a third for pilfering information from SQLite databases employed by multiple apps, and a fourth for approximating the location of the target.
Experts Uncover Deeper Insights into Operation Triangulation
Kaspersky’s report reveals the extensive efforts taken by the entity orchestrating Operation Triangulation to obscure their actions and covertly collect sensitive data from the compromised devices.
The advanced assault was initially discovered in June 2023, when it was revealed that iOS had fallen victim to a zero-click exploit.
This exploit utilized previously unknown security vulnerabilities (CVE-2023-32434 and CVE-2023-32435) and harnessed the iMessage platform to distribute a malicious attachment capable of seizing full control over the targeted device and its user data.
Currently, the extent and the identity of the threat actor remain undisclosed. However, Kaspersky itself became a target early in the year, compelling the organization to launch an investigation into the numerous components of what it described as a comprehensive and advanced persistent threat (APT) platform.
At the heart of this attack framework lies a backdoor known as TriangleDB. It is deployed once the attackers successfully acquire root privileges on the targeted iOS device, achieved through the exploitation of CVE-2023-32434, a kernel vulnerability that enables the execution of arbitrary code.
“These validators gather diverse information about the victim’s device and transmit it to the C2 server,” noted Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Valentin Pashkov in a technical report released on Monday.
“The gathered information is subsequently utilized to evaluate whether the iPhone or iPad targeted for TriangleDB implantation might be a research device. Through these assessments, attackers can take precautions to avoid detection of their zero-day exploits and the implant.”
The data gathered at this stage is sent to a remote server to obtain an unspecified next-stage malware. Alongside this, an undetermined sequence of steps results in the delivery of a Binary Validator, a Mach-O binary file that performs the following tasks:
- Eliminate crash logs from the /private/var/mobile/Library/Logs/CrashReporter directory to remove potential exploitation traces.
- Erase any signs of the malicious iMessage attachment by deleting it from 36 different attacker-controlled Gmail, Outlook, and Yahoo email addresses.
- Acquire a list of active processes on the device and inspect network interfaces.
- Verify whether the target device is jailbroken.
- Activate personalized ad tracking.
- Collect device details, including the username, phone number, IMEI, and Apple ID.
- Retrieve a list of installed applications.
One of the initial actions carried out by the backdoor is to establish contact with the C2 server and transmit a heartbeat. It then receives commands instructing the deletion of crash log and database files to conceal the forensic trail, impeding subsequent analysis.
Additionally, the implant receives directives to periodically extract files from the /private/var/tmp directory, containing data related to location, iCloud Keychain, SQLite databases, and recorded audio from the microphone.
“The entity orchestrating Triangulation demonstrated a high level of stealth,” noted the researchers. “Moreover, the attackers exhibited a profound grasp of iOS internals, evidenced by their utilization of private, undocumented APIs during the attack.”