Experts Discover Deeper Insights into iOS Zero-Day Attacks

Oct 24, 2023NewsroomZero Day / Mobile Security

Operation Triangulation

The TriangleDB implant used to target Apple iOS devices packs at least four different microphone recording modules, captures iCloud Keychain, steals data from SQLite databases used by various apps, and estimate the location of the victim.

The findings from Kaspersky, detailing the various lengths of the enemy behind the campaign, called Operation Triangulationhides and covers its tracks while surreptitiously extracting sensitive information from compromised devices.

The sophisticated attack first came to light in June 2023, when it emerged that iOS was targeted by a zero-click exploit to weaponize zero-day security flaws (CVE-2023-32434 and CVE-2023 -32435) that exploits the iMessage platform to deliver a malicious attachment that gains full control of the device and user data.

The scale and the identity of the actor of the threat are not known today, although Kaspersky itself became one of the targets at the beginning of the year, prompting it to investigate the different components of what it says in a fully demonstrated which is an advanced persistent threat (APT) platform.

The core of the attack framework consists of a backdoor called TriangleDB that is deployed after attackers gain root privileges on a target iOS device by exploiting CVE-2023-32434, a kernel vulnerability that can be exploited to execute arbitrary code.

Cybersecurity

Now, according to the Russian cybersecurity company, the deployment of the implant is preceded by two validator stages, namely JavaScript Validator and Binary Validator, which are implemented to determine whether the target device is not associated with a research environment.

“These validators collect various information about the victim’s device and send it to the C2 server,” Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Valentin Pashkov SAYS in a technical report published on Monday.

“This information is then used to determine whether the iPhone or iPad planted in TriangleDB can be a research device. By making such checks, attackers can ensure that their zero-day exploitation and the implant will not burn.”

By way of background: The starting point of the attack chain is an invisible iMessage attachment received by a victim, which triggers a zero-click exploit chain designed to silently open to a unique URL containing JavaScript as well as an encrypted payload.

Zero-Day Attacks on iOS

The payload is a JavaScript validator that, in addition to performing various arithmetic operations and checking the presence of the Media Source API and WebAssembly, performs a browser fingerprinting technique called canvas fingerprinting by drawing a yellow triangle on a pink background with WebGL and calculating its checksum.

The information collected after this step is transmitted to a remote server to receive, in return, an unknown next-stage malware. Also delivered after a series of unspecified steps is a Binary Validator, a Mach-O binary file that carries out the operations below –

  • Extract the crash logs from the /private/var/mobile/Library/Logs/CrashReporter directory to eliminate traces of possible exploits
  • Removing evidence of malicious iMessage attachments sent from 36 different attacker-controlled Gmail, Outlook, and Yahoo email addresses
  • Get a list of processes running on the device and its network interfaces
  • Check if the target device is jailbroken
  • Turn on personalized ad tracking
  • Gather information about the device (username, phone number, IMEI, and Apple ID), and
  • Get a list of installed apps

“What is interesting about these actions is that the validator executes them for iOS and macOS systems,” said the researchers, adding that the results of the aforementioned actions are encrypted and exfiltrated by a command-and-control (C2) server to get the TriangleDB implant.

Cybersecurity

One of the first steps taken by the backdoor is to establish communication with the C2 server and send a heartbeat, after receiving commands to delete the crash log and database files to cover the forensic trail and constraint analysis.

Also issued by the implant are instructions to periodically exfiltrate files from the /privado/var/tmp directory containing location, iCloud Keychain, SQL-related, and microphone-recorded data.

A unique feature of the microphone-recording module is its ability to suspend the recording when the screen of the device is turned on, indicating the threat of the actor’s intention to fly under the radar.

In addition, the location monitoring module is orchestrated to use GSM data, such as the mobile country code (MCC), mobile network code (MNC), and location area code (LAC), to triangulate the location of the victim in the absence of GPS data.

“The enemy behind Triangulation takes great care to avoid detection,” the researchers said. “The attackers also demonstrated a good understanding of iOS internals, as they used private undocumented APIs in the course of the attack.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment