The iOS zero-click attacks that targeted the iPhones of dozens of Kaspersky senior employees earlier this year focused heavily on exercising stealth, the Russian cybersecurity vendor says.
Referred to as ‘Operation Triangulation’, the attacks involved malicious iMessage attachments designed to exploit a remote code execution (RCE) zero-day and deploy a spyware implant dubbed TriangleDB. Apple released patches for the vulnerability in late June.
The iOS zero-click attacks were disclosed on the same day that Russia’s Federal Security Service (FSB) blamed US intelligence agencies for a spy campaign targeting the iOS devices belonging to diplomats.
On Monday, Kaspersky released a new report detailing the various stealth techniques that the threat actor behind Operation Triangulation has employed, along with some of the components used in the attack.
Before the TriangleDB implant was deployed on the target devices, two validators were used to collect device information and ensure that the code would not be executed on research environments.
The invisible iMessage attachment containing the zero-click exploit silently opens an HTML page hosting the first validator, in the form of obfuscated JavaScript code. The code performs various checks and fingerprinting, sends collected information to a remote server, and waits for the next stage.
The second validator, a Mach-O binary file, removes crash logs and any traces of the malicious iMessage attachment from various databases, lists running processes and installed applications, checks for the device’s jailbreak status, collects user information, and turns on personalized ad tracking.
The binary validator, Kaspersky says, implements these actions for both iOS and macOS, and then sends the collected data to its command-and-control (C&C) server, which responds with the TriangleDB implant.
According to Kaspersky, the implant too was designed to look for crash log files and database files that may contain traces of the iMessages attachment, and deletes them to prevent the malware’s identification.
The implant, Kaspersky discovered, contained a microphone-recording module named ‘msu3h’, which could record for three hours by default, and which would suspend recording if the battery level is lower than 10% and if the device’s screen is in use.
The attackers also implemented an additional keychain exfiltration module, SQLite database stealing capabilities, and a location-monitoring module that used network metadata if GPS was not available.
“The adversary behind Triangulation took great care to avoid detection. They introduced two validators in the infection chain in order to ensure that the exploits and the implant do not get delivered to security researchers. Additionally, microphone recording could be tuned in such a way that it stopped when the screen was being used,” Kaspersky concludes.
Related: Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
Related: Stealthy ‘LabRat’ Campaign Abuses TryCloudflare to Hide Infrastructure
Related: Google Cloud Platform Vulnerability Led to Stealthy Account Backdoors
