Dissecting TriangleDB, a Triangulation spyware implant

[correlate]

[correlate]

Level 18
Thread author
Verified
Top Poster
Well-known
Forum Veteran
May 4, 2019
791
9,574
1,670
New York
Content source
https://securelist.com/triangledb-triangulation-implant/110050/
Over the years, there have been multiple cases when iOS devices were infected with targeted spyware such as Pegasus, Predator, Reign and others. Often, the process of infecting a device involves launching a chain of different exploits, e.g. for escaping the iMessage sandbox while processing a malicious attachment, and for getting root privileges through a vulnerability in the kernel. Due to this granularity, discovering one exploit in the chain often does not result in retrieving the rest of the chain and obtaining the final spyware payload. For example, in 2021, analysis of iTunes backups helped to discover an attachment containing the FORCEDENTRY exploit. However, during post-exploitation, the malicious code downloaded a payload from a remote server that was not accessible at the time of analysis. Consequently, the analysts lost “the ability to follow the exploit.”
Click to expand...
securelist.com

Dissecting TriangleDB, a Triangulation spyware implant

In researching Operation Triangulation, we set ourselves the goal to retrieve as many parts of the exploitation chain as possible. As of now, we have finished analyzing the spyware implant and are ready to share the details.
securelist.com securelist.com
 
  • +Reputation
  • Like
  • Wow
Reactions: upnorth, plat, Andy Ful and 6 others
Whoever is infecting people's iPhones with the TriangleDB spyware may be targeting macOS computers with similar malware, according to Kaspersky researchers.

In the security shop's ongoing analysis of the smartphone snooping campaign – during which attackers exploit a kernel vulnerability to obtain root privileges and install TriangleDB on victims' handsets – Kaspersky analysts uncovered 24 commands provided by the malware that can be used for a range of illicit activities; everything from stealing data, to tracking the victim's geolocation, and terminating processes.

TriangleDB is the mystery spyware that Kaspersky found running on its own management's devices.

The analysts also spotted a method named populateWithFieldsMacOSOnly in the class CRConfig, which is used to store the implant's configuration. That function isn't used when the code is deployed on a target's iPhone, though suggests there is a macOS variant or build of the spyware, we're told.
Click to expand...
www.theregister.com

Apple patches kernel bug used in TriangleDB spyware attacks

Snoops may be targeting macOS devices in addition to iPhones, Kaspersky says
www.theregister.com www.theregister.com
 
  • Like
Reactions: harlan4096, vtqhtr413, Trident and 1 other person
vx_underground says this spyware is [allegedly] developed by the US govt. Next source to confirm, please. And who deployed it?? o_O


Edit: After searching for alternative sources, I came across this more believable (for now) source. The only other thing that comes to mind is that WannaCry era back then, when those exploit tools were stolen/leaked from the NSA.

thehackernews.com

New Report Exposes Operation Triangulation's Spyware Implant Targeting iOS Devices

Operation Triangulation: New spyware targets iOS devices with invisible iMessage exploits. Discover how a kernel vulnerability.
thehackernews.com thehackernews.com
 
Last edited:
  • Like
  • Applause
Reactions: harlan4096, vtqhtr413 and Trident
And what evidence they can provide to support that, apart from the attack being sophisticated? It’s too much finger-pointing when it comes to cyber attacks with very little evidence.
 
  • Like
  • Applause
Reactions: vtqhtr413 and plat
You must log in or register to reply here.

You may also like...