In a recent discovery by Kaspersky, a deep investigation into Operation Triangulation reveals the extent of a sophisticated iOS zero-day attack campaign targeting Apple iOS devices. The attackers employed the TriangleDB implant, which comprises four modules dedicated to recording the microphone, extracting iCloud Keychain data, stealing information from SQLite databases used by various apps, and estimating victim locations.
This revelation came to light in June 2023, exposing a zero-click exploit that harnessed two zero-day security flaws (CVE-2023-32434 and CVE-2023-32435) within the iMessage platform. This method allowed malicious attachments to gain complete control over the targeted device and its user data.
Furthermore, the full scale and identity of the threat actor remain shrouded in mystery, and even Kaspersky itself fell victim to the campaign at the beginning of the year. This prompted the cybersecurity firm to scrutinize the various components of this advanced persistent threat (APT) platform. The linchpin of the attack framework is the TriangleDB backdoor, deployed after the attackers obtain root privileges through CVE-2023-32434, a kernel vulnerability enabling the execution of arbitrary code.
Notably, the deployment of the implant involves two validator stages known as the JavaScript Validator and Binary Validator. These validators assess whether the target device is connected to a research environment, ensuring the protection of their zero-day exploits and the implant. The attack chain commences with an invisible iMessage attachment received by the victim, initiating a zero-click exploit chain designed to covertly open a unique URL containing obfuscated JavaScript and an encrypted payload.
Additionally, the payload includes the JavaScript validator, which conducts various operations and performs browser fingerprinting using a technique called canvas fingerprinting. This information is then sent to a remote server to receive the next-stage malware.
A Binary Validator is also delivered, responsible for erasing traces of exploitation, deleting evidence of malicious attachments, retrieving device information, tracking ad activity, and obtaining a list of installed apps. The results of these actions are encrypted and sent to a command-and-control (C2) server to fetch the TriangleDB implant. The attackers have shown a profound understanding of iOS internals, using private undocumented APIs to ensure their actions remain hidden, indicating their intent to fly under the radar and avoid detection.
