Russian anti-malware vendor Kaspersky has analyzed the spyware implant deployed as part of recent zero-click iMessage attack that targeted iOS-powered devices in its corporate network.
Referred to as Operation Triangulation, Kaspersky said the campaign targeted several dozen iPhones belonging to senior employees via iMessages carrying a malicious attachment containing an exploit for a remote code execution (RCE) vulnerability.
The exploit code also downloads additional components to obtain root privileges on the target device, after which a spyware implant that Kaspersky dubbed TriangleDB is deployed in memory and the initial iMessage is deleted.
The implant does not feature a persistence mechanism, and, if the target device is rebooted, the entire exploitation chain needs to be launched again for re-infection.
“If no reboot occurs, the implant will automatically uninstall itself after 30 days, unless the attackers extend this period,” Kaspersky added.
Written in Objective-C, the TriangleDB implant communicates with its command-and-control (C&C) server using the Protobuf library for data exchange. Messages are encrypted using symmetric (3DES) and asymmetric (RSA) cryptography and are transmitted over HTTPS, in POST requests.
TriangleDB periodically sends heartbeat messages to the C&C server, which responds with commands transferred as Protobuf messages with obscure type names.
Kaspersky’s analysis identified 24 supported commands related to file interaction, process interaction, keychain dumps (likely for harvesting credentials), geolocation monitoring, and the execution of additional modules in the form of Mach-O executables.
The spyware monitors the device for folder changes to identify modified files that have names matching specified regular expressions and queues the identified files for exfiltration.
The Kaspersky documentation also identified artifacts suggesting that the threat actor behind the campaign might also be targeting macOS devices with a similar implant.
Kaspersky disclosed the iOS zero-click attacks against its network on the same day that Russia’s Federal Security Service (FSB) blamed US intelligence agencies, specifically the NSA, for a spy campaign targeting thousands of iOS devices belonging to local users and foreign diplomatic missions.