Operation Triangulation: Kaspersky Lab Uncovers Spy Implant Used to Collect Victims’ Data

Kaspersky Lab experts have uncovered the details of Operation Triangulation, a targeted attack campaign targeting devices running iOS. The malicious implant, called TriangleDB, is used to collect victims’ data and runs exclusively in the memory of the iOS device, deleting its traces upon reboot.
In early June, the FSB and the FSO of Russia reported on “an intelligence operation by American intelligence services carried out using Apple mobile devices.” Kaspersky Lab then published a detailed report on the attack campaign, which was dubbed “Operation Triangulation”. According to the company, the purpose of the attacks was “invisibly injecting a spy module into the iPhone of company employees – both top management and middle managers.”
Kaspersky Lab researchers have now presented a detailed report on the TriangleDB malware written in Objective-C. The malware is loaded onto devices after attackers gain root rights as a result of successfully exploiting a vulnerability in the iOS kernel.
Once deployed, the malware runs exclusively in the memory of the iOS device, so traces of the infection disappear after a reboot. If the device does not reboot, the implant will automatically be removed after 30 days, unless the attackers extend this period.
TriangleDB is a complex spyware that contains a wide range of data collection and monitoring functions. It can execute 24 commands that allow attackers to launch various processes, including interacting with the device’s file system (including creating, modifying, stealing, and deleting files), managing processes (getting a list and terminating them), extracting Keychain elements to collect credentials data and track the geolocation of the victim. Additionally, the malware can run additional modules – Mach-O files that are loaded by itself. These files are loaded reflectively and are only stored in memory.
Analyzing TriangleDB, the experts found that the CRConfig class contains an unused populateWithFieldsMacOSOnly method. This indirectly indicates that a similar implant can be used in device attacks on devices running macOS.
“While analyzing this attack, we discovered a complex iOS implant that has many noteworthy features. We continue our research and will keep you posted on our new findings about this sophisticated attack. We call on the cybersecurity community to come together to share knowledge and collaborate to get a clearer picture of existing threats,” comments Leonid Bezvershenko, cybersecurity expert at Kaspersky Lab.

What is Operation Triangulation?

Operation Triangulation is a targeted attack campaign targeting devices running iOS. The malicious implant, called TriangleDB, is used to collect victims’ data and runs exclusively in the memory of the iOS device, deleting its traces upon reboot.
In early June, the FSB and the FSO of Russia reported on “an intelligence operation by American intelligence services carried out using Apple mobile devices.” Kaspersky Lab then published a detailed report on the attack campaign, which was dubbed “Operation Triangulation”. According to the company, the purpose of the attacks was “invisibly injecting a spy module into the iPhone of company employees – both top management and middle managers.”
Kaspersky Lab also released the free triangle_check utility, which allows users to find traces of infection in an Apple device backup.

How Does TriangleDB Work?

TriangleDB is a complex spyware that contains a wide range of data collection and monitoring functions. It can execute 24 commands that allow attackers to launch various processes, including interacting with the device’s file system (including creating, modifying, stealing, and deleting files), managing processes (getting a list and terminating them), extracting Keychain elements to collect credentials data and track the geolocation of the victim. Additionally, the malware can run additional modules – Mach-O files that are loaded by itself. These files are loaded reflectively and are only stored in memory.
Analyzing TriangleDB, the experts found that the CRConfig class contains an unused populateWithFieldsMacOSOnly method. This indirectly indicates that a similar implant can be used in device attacks on devices running macOS.

Conclusion

Kaspersky Lab experts have uncovered the details of Operation Triangulation, a targeted attack campaign targeting devices running iOS. The malicious implant, called TriangleDB, is used to collect victims’ data and runs exclusively in the memory of the iOS device, deleting its traces upon reboot.
Kaspersky Lab researchers have now presented a detailed report on the TriangleDB malware written in Objective-C. The malware is loaded onto devices after attackers gain root rights as a result of successfully exploiting a vulnerability in the iOS kernel.
“While analyzing this attack, we discovered a complex iOS implant that has many noteworthy features. We continue our research and will keep you posted on our new findings about this sophisticated attack. We call on the cybersecurity community to come together to share knowledge and collaborate to get a clearer picture of existing threats,” comments Leonid Bezvershenko, cybersecurity expert at Kaspersky Lab.