Operation Triangulation
Overview
Triangulation malware is now known to be in use against Kaspersky employees for at least four years. It was delivered using invisible iMessage texts by attaching a malicious file that exploited OS-level vulnerabilities of iOS without needing any user action. Once these devices were infected, they were a fully-featured APT (advanced persistent threat) platform using a second payload, as described by Kaspersky researchers. The malware has self-destructing properties where the initial text message that started the infection chain gets deleted after the spyware is installed. The installation and data transmission is hidden. It is known to transmit microphone recordings, photos, geolocation, and other data related to the activities of the device owner to remote servers. The malware uses a technique called Canvas Fingerprinting to deduce the hardware-software combination of the device before execution. Kaspersky notes that iOS 15.7 is the latest OS version that was successfully compromised, and there are no indications of the exploits working in more recent iOS versions.
Lookout Analysis
Once the devices’ initial entry is gained, another payload is downloaded with additional malware from the attackers’ servers. Kaspersky reported that the campaign started in 2019 and still is ongoing. While the initial text is wiped out, the signs of infection are sprinkled across the device. These include system file modifications to prevent iOS update installation, deprecated library files, and abnormal data usage. Since these attacks have been found in devices up to iOS 15.7, the later versions of iOS might already have fixed the vulnerabilities used in these attacks. Using the Out of Date OS policy and ensuring that devices have auto-update enabled will help protect the devices.
Further, domains are associated with this attack’s malicious activity and additional ones for executing commands for collection. These can be blocked by ensuring Lookout’s PCP module is in place and actively protecting the devices. As per Kaspersky's notes, the execution toolset lacks a persistence mechanism though.
Authors
Lookout
Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.
Identify and Prevent Threats with Lookout Threat Advisory
Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.
Lookout Threat Advisory offers advanced mobile threat intelligence, leveraging millions of devices in our global network and top security research insights to protect your organization.
