Kaspersky, the Russian anti-malware provider, has delved into the spyware module used in a recent zero-click iMessage attack that was aimed at iOS devices within its corporate network.
Dubbed ‘Operation Triangulation’, Kaspersky revealed that the campaign targeted a number of iPhones of high-ranking employees via iMessages that contained a malicious attachment exploiting a remote code execution (RCE) vulnerability.
The exploit code also retrieves additional components to acquire root access on the target device. Subsequently, a spyware module, termed by Kaspersky as TriangleDB, is installed in memory, and the original iMessage is removed.
The implant lacks a persistence mechanism, meaning if the device is restarted, the entire exploitation process must be executed again for re-infection.
“If the device doesn’t undergo a reboot, the implant will automatically uninstall itself after a duration of 30 days, unless the attackers extend this period,” Kaspersky stated.
Crafted in Objective-C, the TriangleDB implant communicates with its command-and-control (C&C) server using the Protobuf library for data transfer. Encrypted with symmetric (3DES) and asymmetric (RSA) cryptography, messages are relayed over HTTPS in POST requests.
TriangleDB sends routine heartbeat messages to the C&C server, which replies with instructions transferred as Protobuf messages with obscure type names.
Kaspersky’s examination discovered 24 supported commands relating to file interaction, process interaction, keychain dumps (presumably for collecting credentials), geolocation tracking, and the execution of additional modules in the form of Mach-O executables.
The spyware keeps track of folder changes on the device to identify altered files with names that match certain regular expressions and earmarks these files for exfiltration.
The Kaspersky report also pinpointed signs suggesting that the threat actor behind the campaign might be targeting macOS devices with a similar implant.
Kaspersky reported the iOS zero-click attacks on its network the same day that Russia’s Federal Security Service (FSB) pointed fingers at US intelligence agencies, notably the NSA, for a spy campaign targeting thousands of iOS devices owned by local individuals and foreign diplomatic missions.”