Dissecting TriangleDB, a Triangulation spyware implant

[correlate]

[correlate]

Level 18
Thread author
Top Poster
Well-known
May 4, 2019
801
Content source
https://securelist.com/triangledb-triangulation-implant/110050/
Over the years, there have been multiple cases when iOS devices were infected with targeted spyware such as Pegasus, Predator, Reign and others. Often, the process of infecting a device involves launching a chain of different exploits, e.g. for escaping the iMessage sandbox while processing a malicious attachment, and for getting root privileges through a vulnerability in the kernel. Due to this granularity, discovering one exploit in the chain often does not result in retrieving the rest of the chain and obtaining the final spyware payload. For example, in 2021, analysis of iTunes backups helped to discover an attachment containing the FORCEDENTRY exploit. However, during post-exploitation, the malicious code downloaded a payload from a remote server that was not accessible at the time of analysis. Consequently, the analysts lost “the ability to follow the exploit.”
Click to expand...
securelist.com

Dissecting TriangleDB, a Triangulation spyware implant

In researching Operation Triangulation, we set ourselves the goal to retrieve as many parts of the exploitation chain as possible. As of now, we have finished analyzing the spyware implant and are ready to share the details.
securelist.com securelist.com
 
  • +Reputation
  • Like
  • Wow
Reactions: upnorth, plat, Andy Ful and 6 others
MuzzMelbourne

MuzzMelbourne

Level 15
Verified
Top Poster
Well-known
Mar 13, 2022
599
Whoever is infecting people's iPhones with the TriangleDB spyware may be targeting macOS computers with similar malware, according to Kaspersky researchers.

In the security shop's ongoing analysis of the smartphone snooping campaign – during which attackers exploit a kernel vulnerability to obtain root privileges and install TriangleDB on victims' handsets – Kaspersky analysts uncovered 24 commands provided by the malware that can be used for a range of illicit activities; everything from stealing data, to tracking the victim's geolocation, and terminating processes.

TriangleDB is the mystery spyware that Kaspersky found running on its own management's devices.

The analysts also spotted a method named populateWithFieldsMacOSOnly in the class CRConfig, which is used to store the implant's configuration. That function isn't used when the code is deployed on a target's iPhone, though suggests there is a macOS variant or build of the spyware, we're told.
Click to expand...
www.theregister.com

Apple patches kernel bug used in TriangleDB spyware attacks

Snoops may be targeting macOS devices in addition to iPhones, Kaspersky says
www.theregister.com www.theregister.com
 
  • Like
Reactions: harlan4096, vtqhtr413, Trident and 1 other person
P

plat

Level 29
Top Poster
Sep 13, 2018
1,793
vx_underground says this spyware is [allegedly] developed by the US govt. Next source to confirm, please. And who deployed it?? o_O


Edit: After searching for alternative sources, I came across this more believable (for now) source. The only other thing that comes to mind is that WannaCry era back then, when those exploit tools were stolen/leaked from the NSA.

thehackernews.com

New Report Exposes Operation Triangulation's Spyware Implant Targeting iOS Devices

Operation Triangulation: New spyware targets iOS devices with invisible iMessage exploits. Discover how a kernel vulnerability.
thehackernews.com thehackernews.com
 
Last edited:
  • Like
  • Applause
Reactions: harlan4096, vtqhtr413 and Trident
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,738
And what evidence they can provide to support that, apart from the attack being sophisticated? It’s too much finger-pointing when it comes to cyber attacks with very little evidence.
 
  • Like
  • Applause
Reactions: vtqhtr413 and plat
You must log in or register to reply here.

Similar threads

MuzzMelbourne
    • Like
    • Thanks
    • +Reputation
Hot Take Apple issues emergency patch to address alleged spyware vulnerability
Replies
12
Views
688
macOS, iOS & iPadOS
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
Researchers Link DragonEgg Android Spyware to LightSpy iOS Surveillanceware
Replies
0
Views
1,144
News Archive
silversurfer
silversurfer
upnorth
    • Like
    • Wow
    • +Reputation
Emerging Heliconia Exploit Framework for RCE
Replies
1
Views
581
News Archive
upnorth
upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top