Kaspersky has revealed the intricacies of the spyware used in the Operation Triangulation campaign. Named “TriangleDB,” this covert surveillance tool was primarily utilized to target iOS devices. It functions solely in memory, removing all traces of itself upon device reboot.
Imagine a spy who can enter a highly guarded fortress, gather information, and leave without leaving behind a single footprint. That’s TriangleDB for you. Join us as we learn from Kaspersky how this dangerous tool works.
What Can TriangleDB Do on Your Device?
The TriangleDB implant, as revealed in the investigation by Kaspersky, is a highly sophisticated piece of spyware that possesses a broad range of capabilities, including:
Covert Surveillance: The implant operates solely within a device’s memory, leaving no trace of its presence after rebooting. This makes it difficult to detect.
Root Access: By exploiting a kernel vulnerability, the implant acquires root privileges on the targeted iOS device, giving it extensive control.
Data Collection: Once installed, the spyware can collect and monitor a wide range of data. It can extract keychain items to gather victim credentials and monitor the victim’s geolocation.
Filesystem Interaction: The spyware can interact with the device’s filesystem. This interaction includes file creation, modification, exfiltration, and removal.
Process Management: It can also manage processes on the infected device, including listing and termination.
Persistence: Unless the device is restarted or the implant decides to uninstall itself (which it automatically does after 30 days unless extended), the implant remains, conducting surveillance and data collection.
Potential macOS Threat: Although not confirmed, the presence of a particular unused method in the implant suggests that similar attacks might be planned against macOS devices
How TriangleDB Works
TriangleDB is coded using Objective-C, a language that preserves the names of members and methods assigned by the developer. However, the names of class members in TriangleDB are uninformative acronyms, making it challenging to guess their meanings.
For example, “osV” stands for the iOS version, and “iME” contains the device’s IMEI. Meanwhile, the strings in the implant are HEX-encoded and encrypted with a rolling XOR function.
Once the implant is launched, it communicates with the Command and Control (C2) server, using the Protobuf library for data exchange.
The implant configuration contains two servers: the primary and the fallback. Usually, the implant uses the primary server; in case of an error, it switches to the fallback server.
The messages sent and received are encrypted with symmetric (3DES) and asymmetric (RSA) cryptography. The implant periodically sends heartbeat beacons containing system information, including the implant version, device identifiers, and the configuration of the update daemon.
The C2 server responds to heartbeat messages with commands transferred as Protobuf messages. Some of the commands include:
- CRDo: Executes a shell command and sends the output to the C2 server.
- CRUpload: Exfiltrates a file from the device to the C2 server.
- CRDownload: Downloads a file from the C2 server to the device.
- CRFileOp: Performs file operations such as deletion and renaming.
- CRPsList: Lists running processes on the device and sends the list to the C2 server2.
How to Tell if Your Device is Compromised
Kaspersky has kindly provided the following indicators of compromise;
MD5 063db86f015fe99fdd821b251f14446d
SHA-1 1a321b77be6a523ddde4661a5725043aba0f037f
SHA-256 fd9e97cfb55f9cfb5d3e1388f712edd952d902f23a583826ebe55e9e322f730f
Oddities Found in The TriangleDB’s Toolset
The spyware incorporates a total of 24 commands that perform a variety of functions. These include interacting with the device’s filesystem for file creation, modification, extraction, and removal, managing processes, extracting keychain items to collect victim credentials, and tracking the victim’s geolocation.
While studying TriangleDB, Kaspersky experts found an unused method in the CRConfig class named “populateWithFieldsMacOSOnly.” Though this method is not utilized in the iOS implant, it hints at the potential for similar implants targeting macOS devices.
Georgy Kucherin, a security expert at Kaspersky Global Research and Analysis Team (GReAT), remarked, “We found numerous intriguing oddities while dissecting this sophisticated iOS implant.
We’re still analyzing the campaign and will keep everyone posted with more insights into this complex attack. We urge the cybersecurity community to join forces, exchange information, and collaborate to better understand the threats we face.”
Staying Safe from TriangleDB Spyware
The world of cybersecurity is akin to a perpetual game of chess. With every new threat, we must devise innovative strategies to counter it. TriangleDB is a formidable opponent, but that doesn’t mean we’re defenseless.
You can take several measures to reduce the risk of such attacks. These include;
Using a Reliable Security Solution: Implement a trusted security solution like Kaspersky Unified Monitoring and Analysis Platform (KUMA) for endpoint-level detection, investigation, and timely remediation of incidents.
Regularly Updating Your OS and Software: Ensure your Microsoft Windows OS and other third-party software are current. Regular updates often patch vulnerabilities that spyware like TriangleDB could exploit.
Equipping Your SOC Team With The Latest Threat Intelligence: Access to the latest threat intelligence data and insights can help your SOC team detect and counter threats more effectively.
Investing in Cybersecurity Training: Enhance the skills of your cybersecurity team to tackle the latest threats through targeted training. For instance, Kaspersky offers online training developed by its Global Research and Analysis Team (GReAT).
Raising Security Awareness: Many attacks start with phishing or other social engineering techniques. Therefore, it’s crucial to introduce security awareness training and teach practical skills to your team.
Additionally, Kaspersky researchers have developed a unique ‘triangle_check’ utility that automatically scans for infection by this specific malware. You can download the utility from its GitHub repository for free.
Staying Safe from Advanced Persistent Threats
TriangleDB is an advanced cyber threat that specifically targets iOS devices. This spyware, which operates solely in the device’s memory, enables the attacker to perform a wide range of data collection and monitoring capabilities.
The analysis of TriangleDB underlines the importance of robust cybersecurity practices, including regular software updates and security awareness training. It also underscores the need for collaboration among cybersecurity professionals to understand and combat evolving digital threats effectively.
As cyber threats evolve and become more sophisticated, individuals and organizations must be vigilant and proactive in their cybersecurity efforts.