More details have emerged about spyware implants delivered to iOS devices as part of a campaign called Operation Triangulation.
Kaspersky, which discovered the operation after being one of the targets earlier in the year, says the malware has a 30-day life-span, after which it will be automatically removed unless the time period is extended by attackers.
The Russian cybersecurity firm has given it a backdoor code name TriangleDB.
“The implant is implemented after an attacker gains root privileges on the target iOS device by exploiting a kernel vulnerability,” Kaspersky researchers said said in a new report published today.
“It is used in memory, meaning all traces of the implant are lost when the device is rebooted. Therefore, if the victim reboots their device, the attacker must re-infect it by sending an iMessage with the malicious attachment, thereby launching the entire exploit chain again.”
Operation Triangulation presupposes the use of clickless exploits through the iMessage platform, thereby allowing spyware to fully control the user’s device and data.
“The attack was carried out using an invisible iMessage with a malicious attachment, which used a number of vulnerabilities in the iOS operating system, run on the device and install spyware,” Eugene Kaspersky, CEO of Kaspersky, previously said.
“The spread of spyware is completely hidden and requires no action on the part of the user.”
TriangleDB, written in Objective-C, forms the core of the secret framework. It is designed to establish an encrypted connection with a command-and-control (C2) server and periodically send a heartbeat beacon containing device metadata.
The server, for its part, responds to the heartbeat message with one of 24 possible commands to dump iCloud Keychain data and load additional Mach-O modules in memory to harvest sensitive data.
This includes file contents, geolocations, installed iOS apps, and running processes, among other things. The chain of attacks ends with the initial message being deleted to cover tracks.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
Closer inspection of the source code has revealed some unusual aspects in that the malware authors call the decryption string “unmuging” and assign names from database terminology to files (record), process (schema), C2 server (DB Server), and geolocation information (DB Status).
Another important aspect is the presence of the routine “populateWithFieldsMacOSOnly.” While this method isn’t named in the iOS implant, the naming convention raises the possibility that TriangleDB could also be weaponized to target macOS devices.
“The implant requests some rights (permissions) from the operating system,” said the Kaspersky researcher.
“Some of these are not used in the code, such as access to the camera, microphone, and address book, or interaction with devices via Bluetooth. Thus, the functionality provided by these rights can be implemented in modules.”
It is currently unknown who is behind the campaign and what their end goal is. Apple, in a previous statement shared with The Hacker News, said it has “never worked with any government to insert a backdoor into any Apple product and never will.”
However, the Russian government pointed the finger at the US, accusing it of breaking into “several thousand” Apple devices belonging to domestic customers and foreign diplomats as part of what it claims is a reconnaissance operation.