Kaspersky Experts Reveal Details of Spyware Implant Used in ‘Operation Triangles’ Campaign
Thursday, 22 June 2023 – Kaspersky experts have provided insight into the spyware implant used in the recent ‘Operation Triangles’ campaign targeting iOS devices. The implant, known as TriangleDB, grants attackers covert monitoring capabilities and operates solely in the device’s memory, ensuring that all evidence of its presence is erased upon device restart.
The ‘Operation Triangles’ campaign, which specifically targets iOS devices via iMessage, was recently reported by Kaspersky after a six-month investigation. In their in-depth analysis of the exploit chain, the researchers unveiled the details of the TriangleDB spyware implant. The implant is deployed by exploiting a vulnerability in the kernel to gain initial privileges on the target iOS device. Once deployed, it runs exclusively in the device’s memory, making any traces of infection disappear upon restart.
If a victim reboots their device, the attacker must re-infect them by sending another iMessage with a malicious attachment and restart the entire exploit process. However, if a reboot does not occur, the implant will automatically uninstall after 30 days, unless the attackers extend this period.
TriangleDB acts as sophisticated spyware, capable of performing various data collection and monitoring tasks. The implant includes 24 commands with functions such as interacting with the device’s file system, managing operations, extracting keychain items to collect victim credentials, and monitoring the victim’s geographic location.
During the analysis of TriangleDB, Kaspersky experts discovered an unused method called populateWithFieldsMacOSOnly in the CRConfig class. Although not used in the iOS implant, its presence suggests that macOS devices could be targeted with a similar implant.
Georgy Kuchrin, a security expert in Kaspersky’s Global Research and Analysis team, stated, “While we were going through the attack, we discovered a sophisticated iOS implant that demonstrated many interesting features. We continue to analyze the campaign and will keep everyone posted with more information about this evolving attack. We call on the cybersecurity community to unite, share information, and collaborate to get a clearer picture of the threats out there.”
To learn more about the TriangleDB spyware, visit Securelist.com. Kaspersky researchers have also released a special ‘triangle_check’ tool that automatically searches for malware infection. For a detailed guide on how to check your device, read the blog.
In order to avoid falling victim to known or unknown threat actors, Kaspersky researchers recommend implementing several measures. These include using a reliable enterprise security solution like Kaspersky Unified Monitoring and Analysis Platform (KUMA) to detect, investigate, and remediate incidents at the endpoint level. Regularly updating Microsoft Windows OS and other third-party software is also crucial. Providing the SOC team with access to the latest Threat Intelligence (TI) through Kaspersky Threat Intelligence can enhance security. Additionally, developing the skills of the cybersecurity team to deal with targeted threats and providing security awareness training can help prevent attacks.
By using solutions to monitor, analyze, and detect network traffic across security systems, companies can ensure the best level of protection against potential attacks on their technological operations and key assets.
As the ‘Operation Triangles’ campaign highlights the evolving nature of cyber threats, Kaspersky urges the cybersecurity community to collaborate and share information to combat these threats effectively.