Security researchers at Kaspersky have recently uncovered a sophisticated spyware implant called TriangleDB, part of an operation known as Triangulation.
According to an advisory published by the company earlier today, the implant specifically targets iOS devices via a malicious iMessage attachment. It is deployed after the attackers gain root privileges by exploiting a kernel vulnerability.
Read more on attacks targeting iOS devices: New Zero-Click iOS Exploit Deploys Israeli Spyware
Once installed, TriangleDB will reside in the device’s memory, making it difficult to detect. At the same time, a reboot of the device will effectively remove it. If no reboot takes place (and unless the attackers extend the period), the implant will uninstall itself automatically after 30 days.
TriangleDB is coded using Objective-C, and it communicates with a command-and-control (C2) server using the Protobuf library. The messages exchanged between the implant and the server are encrypted using symmetric and asymmetric cryptography.
The C2 server sends commands to the implant, which are executed to perform various tasks.
These commands include interacting with the device’s file system, monitoring processes, retrieving keychain items, geolocation tracking and running additional modules.
One notable command discovered monitors specified directories for modified files that match specific regular expressions. These files are then scheduled for exfiltration to the C2 server.
Further analysis of the TriangleDB implant is ongoing, and researchers at Kaspersky said they would continue investigating the campaign to gather more details about it.
“We continue analyzing the campaign and will keep everyone updated with further insights into this sophisticated attack,” said Georgy Kucherin, a security expert at Kaspersky’s Global Research and Analysis Team (GReAT).
“We call upon the cybersecurity community to unite, share knowledge and collaborate to get a clearer picture around the threats out there.”
The TriangleDB advisory comes weeks after Kaspersky released a new automated tool to help iOS users test whether their device has been infected with specific malware from Operation Triangulation.