Cybersecurity firm Kaspersky, whose employees were under a spying attack along with some iOS users, has unwrapped the hackers’ modus operandi. They used an implant called as TriangleDB, which gives the attackers covert surveillance capabilities.
“It operates solely in memory, ensuring that all evidence of the implant is erased upon device reboot,” the firm said.
Early this month, Kaspersky admitted to a spyware attack on some of its employees and other users’ iOS, exposing the devices. The new mobile Advanced Persistent Threat (APT) campaign, which is being referred to as Operation Triangulation, is found to be targeting only iOS devices via iMessage.
“The implant is deployed by exploiting a kernel vulnerability to acquire root privileges on the targeted iOS device. Once deployed, it operates solely in the device’s memory, hence traces of the infection disappear upon the device reboot,” it points out.
Consequently, if the victim restarts their device, the attacker needs to reinfect it by sending another iMessage with a malicious attachment, again initiating the entire exploitation process.
“If no reboot occurs, the implant will automatically uninstall itself after 30 days, unless the attackers extend this period. Operating as complex spyware, TriangleDB performs a wide range of data collection and monitoring capabilities,” it said.
In all, the implant comprises 24 commands with diverse functionalities. These commands serve various purposes, such as interacting with the device’s filesystem (including file creation, modification, exfiltration, and removal), managing processes (listing and termination), extracting keychain items to gather victim credentials, and monitoring the victim’s geolocation, among others.
Following the six-month investigation, the company’s researchers have published an in-depth analysis of the exploitation chain and uncovered details of the spyware implant operation.
“As we delved into the attack, we discovered a sophisticated iOS implant that displayed numerous intriguing oddities,” Georgy Kucherin, a security expert at Kaspersky Global Research and Analysis Team (GReAT).
“We continue analysing the campaign and will keep everyone updated with further insights into this sophisticated attack. We call upon the cybersecurity community to unite, share knowledge and collaborate to get a clearer picture around the threats out there,” he said.
SHARE
Published on June 23, 2023
