June 22, 2023

Operation Triangulation

Platform(s) Affected
iOS
Platform(s) Affected
Android
Entry Type
Security Guidance
Threat Type
Vulnerability
Platform(s) Affected
iOS
Android
Security Guidance
Vulnerability

Overview

Triangulation malware is now known to be in use against Kaspersky employees for at least four years. It was delivered using invisible iMessage texts by attaching a malicious file that exploited OS-level vulnerabilities of iOS without needing any user action. Once these devices were infected, they were a fully-featured APT (advanced persistent threat) platform using a second payload, as described by Kaspersky researchers. The malware has self-destructing properties where the initial text message that started the infection chain gets deleted after the spyware is installed. The installation and data transmission is hidden. It is known to transmit microphone recordings, photos, geolocation, and other data related to the activities of the device owner to remote servers. The malware uses a technique called Canvas Fingerprinting to deduce the hardware-software combination of the device before execution. Kaspersky notes that iOS 15.7 is the latest OS version that was successfully compromised, and there are no indications of the exploits working in more recent iOS versions.

Lookout Analysis

Once the devices’ initial entry is gained, another payload is downloaded with additional malware from the attackers’ servers. Kaspersky reported that the campaign started in 2019 and still is ongoing. While the initial text is wiped out, the signs of infection are sprinkled across the device. These include system file modifications to prevent iOS update installation, deprecated library files, and abnormal data usage. Since these attacks have been found in devices up to iOS 15.7, the later versions of iOS might already have fixed the vulnerabilities used in these attacks. Using the Out of Date OS policy and ensuring that devices have auto-update enabled will help protect the devices.

Further, domains are associated with this attack’s malicious activity and additional ones for executing commands for collection. These can be blocked by ensuring Lookout’s PCP module is in place and actively protecting the devices. As per Kaspersky's notes, the execution toolset lacks a persistence mechanism though.

Colleagues standing in an open meeting area and sharing a humorous moment

Identify and Prevent Threats with Lookout Threat Advisory

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Lookout Threat Advisory provides cutting-edge mobile threat intelligence from Lookout’s global sensor network of millions of mobile devices and insights from Lookout’s top mobile security researchers. Protecting and preventing your organization from major threats.

Other Related Threats

New

September 22, 2023

iOS 16.6.1 and iOS 17.0

Apple recently released two software updates for iOS and iPad OS for vulnerabilities that can form an exploit chain and are also known to install Predator spyware.

September 15, 2023

Scattered Spider

September 19, 2023

CVE-2023-4863