June 22, 2023

Operation Triangulation

Overview

Triangulation malware is now known to be in use against Kaspersky employees for at least four years. It was delivered using invisible iMessage texts by attaching a malicious file that exploited OS-level vulnerabilities of iOS without needing any user action. Once these devices were infected, they were a fully-featured APT (advanced persistent threat) platform using a second payload, as described by Kaspersky researchers. The malware has self-destructing properties where the initial text message that started the infection chain gets deleted after the spyware is installed. The installation and data transmission is hidden. It is known to transmit microphone recordings, photos, geolocation, and other data related to the activities of the device owner to remote servers. The malware uses a technique called Canvas Fingerprinting to deduce the hardware-software combination of the device before execution. Kaspersky notes that iOS 15.7 is the latest OS version that was successfully compromised, and there are no indications of the exploits working in more recent iOS versions.

Lookout Analysis

Once the devices’ initial entry is gained, another payload is downloaded with additional malware from the attackers’ servers. Kaspersky reported that the campaign started in 2019 and still is ongoing. While the initial text is wiped out, the signs of infection are sprinkled across the device. These include system file modifications to prevent iOS update installation, deprecated library files, and abnormal data usage. Since these attacks have been found in devices up to iOS 15.7, the later versions of iOS might already have fixed the vulnerabilities used in these attacks. Using the Out of Date OS policy and ensuring that devices have auto-update enabled will help protect the devices.

Further, domains are associated with this attack’s malicious activity and additional ones for executing commands for collection. These can be blocked by ensuring Lookout’s PCP module is in place and actively protecting the devices. As per Kaspersky's notes, the execution toolset lacks a persistence mechanism though.

Authors

Lookout

Cloud & Endpoint Security

Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves.

Platform(s) Affected
iOS
Platform(s) Affected
Android
Entry Type
Threat Guidances
Threat Type
Vulnerability
Platform(s) Affected
iOS
Android
Threat Guidances
Vulnerability
A person with a prosthetic arm working on a computer

Identify and Prevent Threats with Lookout Threat Advisory

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Lookout Threat Advisory offers advanced mobile threat intelligence, leveraging millions of devices in our global network and top security research insights to protect your organization.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell