2023-06-22 17:25:35
Thursday / 4 / Dhul-Hijjah / 1444 AH – 20:24 – Thursday, June 22, 2023 20:24 After the report was released on the “Operation Triangle” campaign targeting iOS devices, Kaspersky experts shed light on the details related to the planting of spyware used during the attacks. Dubbed TriangleDB, the implant gives attackers covert monitoring capabilities. It operates in memory only, ensuring that all evidence of the implant is erased when the device is restarted. Kaspersky recently reported a new mobile Advanced Persistent Threat (APT) campaign that specifically targets iOS devices via iMessage. After the six-month investigation, the company’s researchers published an in-depth analysis of the exploit chain and revealed the details of the spyware implant. Dubbed TriangleDB, the implant is deployed by exploiting a vulnerability in the kernel to gain initial privileges on the target iOS device. Once deployed, it only runs in the device’s memory, so the traces of infection disappear when the device is restarted. Thus, if the victim reboots their device, the attacker needs to re-infect them by sending another iMessage with a malicious attachment, and start the entire exploit process again. If a reboot does not occur, the implant will be automatically uninstalled after 30 days, unless the attackers extend this period. Acting as sophisticated spyware, TriangleDB performs a wide range of data collection and monitoring. In total, the implant includes 24 commands with various functions. These commands serve various purposes, such as interacting with the device’s file system (including creating, modifying, checking out, and removing files), managing operations (insert and terminating), extracting keychain items to collect victim credentials, and monitoring the victim’s geographic location. While analyzing TriangleDB, Kaspersky experts discovered that the CRConfig class contains an unused method called populateWithFieldsMacOSOnly. Although it is not used in an iOS implant, its presence indicates that macOS devices could be targeted with a similar implant. “While we were going through the attack, we discovered a sophisticated iOS implant that demonstrated many interesting features,” said Georgy Kuchrin, security expert in Kaspersky’s Global Research and Analysis team. We continue to analyze the campaign and will keep everyone posted with more information about this evolving attack. We call on the cybersecurity community to unite, share information, and collaborate to get a clearer picture of the threats out there.” To learn more about TriangleDB spyware, visit Securelist.com Kaspersky researchers have released a special ‘triangle_check’ tool that automatically searches for malware infection. For a detailed guide on how to check your device, read the blog. In order to avoid falling victim to an attack by a known or unknown threat actor, Kaspersky researchers recommend that you implement the following measures: To detect, investigate and timely remediate incidents at the endpoint level, use a reliable enterprise security solution, such as Kaspersky Unified Monitoring and Analysis Platform ( KUMA). Update your Microsoft Windows OS and other third-party software as soon as possible and do so regularly. Provide your SOC team with access to the latest Threat Intelligence (TI). Kaspersky Threat Intelligence is the company’s threat intelligence access point, providing it with cyber-attack data and information collected by Kaspersky over 20 years. Develop the skills of your cybersecurity team to deal with the latest targeted threats with Kaspersky’s online training developed by GReAT experts. Since many targeted attacks start with phishing or other social engineering techniques, provide training in security awareness and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform.Using solutions to monitor, analyze and detect network traffic across security systems, To ensure the best level of protection against attacks that may threaten the company’s technological operations and key assets.
1687458666
#Kaspersky #reveals #details #spyware #Operation #Triangle