



Cybersecurity firm Kaspersky, whose employees were spied on along with some iOS users, has figured out how the hackers did it. They used an implant called TriangleDB that gives attackers covert surveillance capabilities.

The company says it works only in memory, ensuring that all traces of the implant are erased when the device reboots.

Kaspersky said earlier this month that some employees and other users had their iOS devices compromised after a spyware attack. A new mobile Advanced Persistent Threat (APT) campaign called Operation Triangulation was found to target only his iOS devices via iMessage.

Read: Kaspersky releases Operation Triangulation, a free malware detection tool

The implant is deployed by exploiting a kernel vulnerability to gain root privileges on the target iOS device. Once deployed, the virus operates only in the device’s memory, so it notes that any trace of infection disappears when the device is rebooted.

Therefore, when the victim reboots the device, the attacker would have to reinfect the device by sending another iMessage with a malicious attachment and start the entire exploitation process again.

If no reboot occurs, the implant will automatically uninstall after 30 days unless the attacker extends this period. TriangleDB acts as a complex spyware, performing a wide range of data collection and monitoring functions.

In total the implant consists of 24 commands with different functions. These commands interact with the device’s file system (including creating, modifying, extracting, and deleting files), managing processes (listing and terminating), and extracting keychain items to gather victim credentials. , serves a variety of purposes, including monitoring the geolocation of victims. .

After six months of research, company researchers published a detailed analysis of the exploit chain, revealing details of the spyware implant operation.

Georgy Kucherin, a security expert with the Kaspersky Global Research and Analysis Team (GReAT), dug into this attack and found a sophisticated iOS implant that displayed a number of interesting oddities.

We continue to analyze the campaign and stay updated with further insights into this advanced attack. We are calling on the cybersecurity community to come together, share knowledge and work together to get a clearer picture of the threats out there, he said.

Issued June 23, 2023

