Analyzing the TriangleDB implant used in Operation Triangulation

Kaspersky provided more details about Operation Triangulation, including the exploitation chain and the implant used by the threat actors.

Kaspersky researchers dug into Operation Triangulation and discovered more details about the exploit chain employed to deliver the spyware to iOS devices.

In early June, the researchers from the Russian firm Kaspersky uncovered a previously unknown APT group that is targeting iOS devices with zero-click exploits as part of a long-running campaign dubbed Operation Triangulation.

The experts discovered the attack while monitoring the network traffic of their own corporate Wi-Fi network dedicated to mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA).

According to Kaspersky researchers, Operation Triangulation began at least in 2019 and is still ongoing.

The attack chains commenced with a message sent via the iMessage service to an iOS device. The message has an attachment containing an exploit. The expert explained that the message triggers a remote code execution vulnerability without any user interaction (zero-click).

Shortly after Kaspersky’s disclosure, Russia’s FSB accused the US intelligence for the attacks against the iPhones. According to Russian intelligence, thousands of iOS devices belonging to domestic subscribers and diplomatic missions and embassies have been targeted as part of Operation Triangulation.

The operations aimed at gathering intelligence from diplomats from NATO countries, Israel, China and Syria.

FSB believes that Apple supported US intelligence in this cyberespionage campaign.

Kaspersky initially reported that the exploit used in the attack downloads multiple subsequent stages from the C2 server, including additional exploits for privilege escalation. The final payload is downloaded from the same C2 and is described by Kaspersky as a fully-featured APT platform.

Then the initial message and the exploit in the attachment are deleted.

The researchers noticed that the malicious toolset does not support persistence, likely due to the limitations of the OS. The devices may have been reinfected after rebooting. 

The attack successfully targeted iOS 15.7, the analysis of the final payload has yet to be finished. The malicious code runs with root privileges, it supports a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C2 server.

Today Kaspersky announced that after a six-month-long investigation, they have completed the collection of all the components of the attack chain and the analysis of the spyware implant, tracked as TriangleDB.

The attackers exploit the implant kernel vulnerability to obtain root privileges on the target iOS device and install the implant. The spyware is directly deployed in memory, but if the victim reboots the device the malware doesn’t persist. In any case, the implant uninstalls itself after 30 days if the system is not rebooted. However, attackers can extend this period.

TriangleDB is written in Objective-C, once executed it connects to the C2 server using the Protobuf library for exchanging data.

The implant configuration contains two servers, the primary one and the fallback.

The messages are encrypted with symmetric (3DES) and asymmetric (RSA) cryptography, they are exchanged via the HTTPS protocol in POST requests

The malware periodically sends heartbeat beacons to the C2, they contain system information such as the implant version, device identifiers (IMEI, MEID, serial number, etc.) and the configuration of the update daemon (whether automatic downloads and installations of updates are enabled).

In turn, the C2 server responds by sending commands to the implant.

“Commands are transferred as Protobuf messages that have type names starting with CRX.” reads the analysis published by Kaspersky. “In total, the implant we analyzed has 24 commands designed for:

Interacting with the filesystem (creation, modification, exfiltration and removal of files);

Interacting with processes (listing and terminating them);

Dumping the victim’s keychain items, which can be useful for harvesting victim credentials;

Monitoring the victim’s geolocation;

Running additional modules, which are Mach-O executables loaded by the implant. These executables are reflectively loaded, with their binaries stored only in memory.
The analysis of the code revealed that the authors refer to string decryption as “unmunging” (as the method performing string decryption is named +[CRConfig unmungeHexString:]. The experts also observed that different entities were given names from database terminology, for this reason, they called the implant TriangleDB:

The researchers also noticed that the class CRConfig, which stores the implant’s configuration, has a method named populateWithFieldsMacOSOnly. The method is not invoked in the iOS implant, but the name suggests the existence of a macOS version of the malware.

Kaspersky is still analyzing this campaign, meantime, they shared indicators of compromise (IoCs) for TriangleDB.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, TriangleDB)

The post Analyzing the TriangleDB implant used in Operation Triangulation appeared first on Security Affairs.