SGGPO
Following reports of Operation Triangulation targeting iOS devices, Kaspersky experts shed light on the details of the spyware used in the attack.
 |
| TriangleDB software has attacked iOS devices. |
Kaspersky recently reported on a new mobile APT (Advanced Persistent Threat) campaign targeting iOS devices via iMessage. Following a six-month investigation, Kaspersky researchers published an in-depth analysis of the exploit chain and detailed findings about the spyware infection activity.
This malware, called TriangleDB, is deployed by exploiting a vulnerability to gain root access on iOS devices. Once launched, it only operates in the device's memory, so the infection trail disappears when the device restarts. Therefore, if the victim restarts the device, the attacker needs to re-infect the device by sending another iMessage with a malicious attachment, restarting the entire exploitation process.
If the device doesn't restart, the software will automatically uninstall after 30 days, unless the attackers extend this period. Operating as sophisticated spyware, TriangleDB performs numerous data collection and monitoring capabilities.
The software includes 24 commands with diverse functions. These commands serve various purposes, such as interacting with the device's file system (including creating, modifying, extracting, and deleting files), managing processes (listing and terminating), extracting strings to collect victim login information, and monitoring the victim's geographic location.
While analyzing TriangleDB, Kaspersky experts discovered that the CRConfig class contains an unused method called popatedWithFieldsMacOSOnly. Although not used in the iOS malware, its presence suggests the potential to target macOS devices.
Kaspersky recommends that users take the following measures to avoid becoming victims of targeted attacks: For timely protection, investigation, and response at the endpoint level, use a reliable enterprise security solution, such as the Kaspersky Unified Monitoring and Analysis Platform (KUMA); Update Microsoft Windows operating systems and third-party software as soon as possible, and do so regularly; Provide SOC teams with access to the latest Threat Intelligence (TI) data. Kaspersky Threat Intelligence is a simple source of access to the company's TI, providing data on cyberattacks and reports from Kaspersky over the past 20 years; Equip cybersecurity teams with the skills to address the latest targeted threats through Kaspersky's online training, developed by experts at GreAT; Because many targeted attacks begin with phishing or social engineering tactics, provide security awareness training and guidance on necessary skills for company employees, such as the Kaspersky Automated Security Awareness Platform…
Georgy Kucherin, a security expert at Kaspersky's Global Research and Analysis Group, said: “As we delved deeper into the attack, we discovered that this sophisticated iOS malware had several unusual characteristics. We are continuing to analyze the campaign and will provide everyone with more in-depth information about this sophisticated attack. We call on the cybersecurity community to share knowledge and collaborate to gain a clearer picture of the threats out there.”
Source
Comment (0)