TriangleDB, spyware implant of Operation Triangulation | Kaspersky official blog
Credit to Author: Kaspersky Team| Date: Wed, 21 Jun 2023 14:54:28 +0000
Not so long ago, our technologies detected a new APT attack on iPhones. The attack was part of a campaign aimed at, among others, Kaspersky employees. Unknown attackers used an iOS kernel vulnerability to deploy a spyware implant dubbed TriangleDB in the device’s memory. Our experts have been able to study this implant thoroughly.
What can the TriangleDB implant do?
Studying this implant was no easy task, since it works only in the phone’s memory — leaving no traces in the system. That is, the reboot completely wipes all traces of the attack, and the malware had a self-destruct timer that activated automatically 30 days after the initial infection (if the operators decided not to send a command to extend its working time). The basic functionality of the implant includes the following features:
- file manipulation (creation, modification, deletion and exfiltration);
- manipulations with running processes (getting a list and terminating them);
- exfiltration of iOS keychain elements — which may contain certificates, digital identities, and/or credentials for various services;
- transmission of geolocation data — including coordinates, altitude, and speed and direction of movement.
Also, the implant can load additional modules into the phone’s memory and run them. If you’re interested in the technical details of the implant, you can find them in a post on the Securelist blog (aimed at cybersecurity experts).
APT attacks on mobile devices
Recently, the main target of APT attacks in general has mostly been traditional personal computers. However, modern mobile devices are these days comparable to office PCs in terms of both performance and functionality. They’re used to interact with business-critical information, store both personal and business secrets, and can serve as access keys to work-related services. Therefore, APT groups are putting all the more effort into designing attacks on mobile operating systems.
Of course, Triangulation is not the first attack aimed at iOS devices. Everyone remembers the infamous (and, unfortunately, still ongoing) case of the commercial spyware Pegasus. There were other examples too, like Insomnia, Predator, Reign, etc. Also, it’s no wonder that APT-groups are interested in the Android OS as well. Not so long-ago news outlets wrote about an attack by the “Transparent Tribe” APT group, which used the CapraRAT backdoor against Indian and Pakistani users of this system. And in the third quarter of last year, we discovered previously unknown spyware targeting Farsi-speaking users.
All this suggests that in order to protect a company from APT attacks these days, it’s necessary to ensure the security of not only stationary equipment — servers and workstations — but also of mobile devices used in the work process.
How to improve your chances against APT attacks on mobiles
It would be wrong to assume that the default protection technologies provided by device manufacturers are enough to protect mobile devices. The Operation Triangulation case clearly shows that even Apple technologies aren’t perfect. Therefore, we recommend that businesses should always employ a multi-level protection system, which includes convenient tools allowing for mobile device control, plus systems that can monitor their network interactions.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
- Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence is a single point of access for the company’s TI, providing it with cyberattack data and insights gathered by Kaspersky spanning over 20 years.
- Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by our experts.
- To help free-up your SOC from routine alert triage tasks, use proven managed detection and response service, such as Kaspersky Managed Detection and Response. The service combines AI-based detection technologies with extensive expertise in threat hunting and incident response from professional units including Kaspersky Global Research & Analysis Team (GReAT).