2023-06-25 03:28:42
Following the report on the Operation Triangulation campaign of attacks targeting iOS devices, Kaspersky experts are clearing up details regarding the spyware implant used during the attacks.
Dubbed TriangleDB, the implant gives attackers covert surveillance capabilities. It works only in memory, ensuring that all evidence of the implant is erased when the device is reset.
Kaspersky recently reported a new advanced persistent threat (APT) mobile campaign that specifically targets iOS devices via iMessage.
Following the six-month investigation, the company’s researchers published an in-depth analysis of the chain of exploitation and uncovered details regarding the spyware installation.
TriangleDB
The implant, dubbed TriangleDB, is implemented by exploiting a kernel vulnerability to acquire root privileges on the target iOS device.
Once installed, it works only in the device’s memory, so the traces of the infection disappear when the device is rebooted.
Consequently, if the victim reboots their device, the attacker must re-infect it by sending another iMessage containing a malicious file, thus starting the entire exploitation process all over once more.
If not rebooted, the implant will automatically uninstall following 30 days, unless attackers extend this period. Operating as complex spyware, TriangleDB performs a wide range of data collection and monitoring functions.
In total, the implant includes 24 commands with various functionalities. These commands serve various purposes, such as interacting with the device’s file system (including creating, modifying, exfiltrating, and deleting files), managing processes (listing and terminating), extracting items from the keychain to collect the victim’s credentials, and monitor the geolocation of the victim, among others.
While analyzing TriangleDB, Kaspersky experts discovered that the CRConfig class contains an unused method called “populateWithFieldsMacOSOnly”. While not used in the iOS implant, its presence suggests the possibility of targeting macOS devices with a similar implant.
“As we delved deeper into the attack, we discovered a complex iOS implant that displayed numerous intriguing oddities. We are continuing to analyze the campaign and will keep everyone updated with more information on this complex attack. We call on the cybersecurity community to come together, share knowledge, and collaborate to get a clearer picture of the threats out there.” commented Georgy Kucherin, security expert at Kaspersky’s Global Research and Analysis Team (GReAT).
triangle_check
Kaspersky researchers have released a special ‘triangle_check’ tool that automatically checks for malware infection.
To avoid falling victim to an attack directed by a known or unknown threat actor, Kaspersky researchers recommend the following measures:
For timely detection, investigation, and remediation of endpoint-level incidents, use a trusted enterprise security solution, such as Kaspersky Unified Monitoring and Analysis Platform (KUMA). Update the Microsoft Windows operating system and other third-party software as soon as possible and do so regularly. Give your SOC team access to the latest threat intelligence (IT). Kaspersky Threat Intelligence is a single point of access for enterprise IT, providing you with information and data on cyberattacks collected by Kaspersky for more than 20 years. Improve your cyber security team’s ability to address the latest targeted threats using Kaspersky online training Developed by GReAT experts. Since many targeted attacks start with phishing or other social engineering techniques, initiate security training and teach your team practical skills, such as using the Kaspersky Automated Security Awareness Platform.
1687675022
#Kaspersky #revealed #details #spyware #targeting #iOS #devices
