SGGPO
Following reports of the Operation Triangulation campaign targeting iOS devices, Kaspersky experts shed light on the details of the spyware used in the attack.
 |
| TriangleDB malware has hit iOS devices |
Kaspersky recently reported on a new mobile APT (Advanced Persistent Threat) campaign targeting iOS devices via iMessage. After a six-month investigation, Kaspersky researchers have published an in-depth analysis of the exploit chain and detailed findings on the spyware infection.
The malware, called TriangleDB, is deployed by exploiting a vulnerability that allows it to gain root access on iOS devices. Once launched, it only operates in the device’s memory, so traces of the infection disappear when the device reboots. So if the victim reboots the device, the attacker needs to re-infect the device by sending another iMessage with a malicious attachment, starting the entire exploit process over again.
If the device is not rebooted, the software will automatically uninstall after 30 days, unless the attackers extend this period. Acting as a sophisticated spyware, TriangleDB performs a variety of data collection and monitoring capabilities.
The software includes 24 commands with diverse functions. These commands serve various purposes, such as interacting with the device's file system (including creating, modifying, extracting, and deleting files), managing processes (listing and terminating), extracting strings to collect victim credentials, and monitoring the victim's geographic location.
While analyzing TriangleDB, Kaspersky experts discovered that the CRConfig class contains an unused method called populateWithFieldsMacOSOnly. Although it is not used in the iOS infection, its presence suggests the possibility of targeting macOS devices.
Kaspersky recommends that users take the following measures to avoid becoming a victim of targeted attacks: For endpoint protection, investigation and response, use a reliable enterprise security solution, such as Kaspersky Unified Monitoring and Analysis Platform (KUMA); Update Microsoft Windows operating systems and third-party software as soon as possible, and regularly; Provide SOC teams with access to the latest Threat Intelligence (TI). Kaspersky Threat Intelligence is a simple access source for corporate TI, providing 20 years of cyberattack data and insights from Kaspersky; Equip cybersecurity teams to tackle the latest targeted threats with Kaspersky’s online training course, developed by experts at GreAT; Since many targeted attacks start with phishing or social engineering tactics, provide security awareness training and skills training to your company employees, such as Kaspersky Automated Security Awareness Platform…
“As we dug deeper into the attack, we discovered that this sophisticated iOS infection had several strange features. We are continuing to analyze the campaign and will keep everyone updated as we learn more about this sophisticated attack. We urge the cybersecurity community to share knowledge and collaborate to get a clearer picture of the threats out there,” said Georgy Kucherin, security expert at Kaspersky’s Global Research and Analysis Team.
Source
Comment (0)