Unmasking Operation Triangulation: In-depth Analysis of iOS Zero-Day Attacks

October 24, 2023

Kaspersky's investigation into a sophisticated attack on Apple iOS devices, known as Operation Triangulation, has revealed the use of a malicious implant called TriangleDB. This implant is equipped with at least four modules designed to record microphone activity, extract iCloud Keychain details, steal data from various app-based SQLite databases, and estimate the victim's location.

The attack was first identified in June 2023, when it was discovered that iOS devices were being targeted by a zero-click exploit that utilized zero-day security flaws (CVE-2023-32434 and CVE-2023-32435). The exploit used the iMessage platform to deliver a malicious attachment that could gain total control over the device and its user data. The scale and identity of the threat actor remain unknown.

The core of the attack framework is a backdoor called TriangleDB, which is deployed after the attackers gain root privileges on the target iOS device by exploiting a kernel vulnerability (CVE-2023-32434) that can be manipulated to execute arbitrary code. Kaspersky's researchers have found that the implant's deployment is preceded by two validator stages, the JavaScript Validator and Binary Validator. These stages are executed to ensure that the target device is not associated with a research environment.

In a technical report published on Monday, Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Valentin Pashkov stated, "These validators collect various information about the victim device and send it to the C2 server. This information is then used to assess if the iPhone or iPad to be implanted with TriangleDB could be a research device. By performing such checks, attackers can make sure that their zero-day exploits and the implant do not get burned."

The attack begins with an invisible iMessage attachment sent to the victim, which triggers a zero-click exploit chain. This chain stealthily opens a unique URL containing obfuscated JavaScript and an encrypted payload. The payload is the JavaScript validator, which performs a series of checks and a browser fingerprinting technique known as canvas fingerprinting. The information collected is then sent to a remote server to receive an unknown next-stage malware.

The Binary Validator, a Mach-O binary file, is also delivered after a series of steps. The results of its actions are encrypted and sent to a command-and-control (C2) server to fetch the TriangleDB implant. Once the backdoor is established, it communicates with the C2 server and follows commands to delete crash log and database files, thus erasing any trace of the attack.

The implant also receives instructions to periodically exfiltrate files that contain location, iCloud Keychain, SQL-related, and microphone-recorded data. The microphone-recording module is designed to stop recording when the device screen is on, demonstrating the threat actor's intention to remain undetected. The location-monitoring module uses GSM data to estimate the victim's location when GPS data is not available.

Kaspersky's researchers concluded, "The adversary behind Triangulation took great care to avoid detection. The attackers also showed a great understanding of iOS internals, as they used private undocumented APIs in the course of the attack."

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.