TriangleDB: the spyware implant of Operation Triangulation

APT operators are showing increasing interest in mobile devices. Our experts have studied one of their tools.

TriangleDB, spyware implant of Operation Triangulation

Not so long ago, our technologies detected a new APT attack on iPhones. The attack was part of a campaign aimed at, among others, Kaspersky employees. Unknown attackers used an iOS kernel vulnerability to deploy a spyware implant dubbed TriangleDB in the device’s memory. Our experts have been able to study this implant thoroughly.

What can the TriangleDB implant do?

Studying this implant was no easy task, since it works only in the phone’s memory — leaving no traces in the system. That is, the reboot completely wipes all traces of the attack, and the malware had a self-destruct timer that activated automatically 30 days after the initial infection (if the operators decided not to send a command to extend its working time). The basic functionality of the implant includes the following features:

  • file manipulation (creation, modification, deletion and exfiltration);
  • manipulations with running processes (getting a list and terminating them);
  • exfiltration of iOS keychain elements — which may contain certificates, digital identities, and/or credentials for various services;
  • transmission of geolocation data — including coordinates, altitude, and speed and direction of movement.

Also, the implant can load additional modules into the phone’s memory and run them. If you’re interested in the technical details of the implant, you can find them in a post on the Securelist blog (aimed at cybersecurity experts).

APT attacks on mobile devices

Recently, the main target of APT attacks in general has mostly been traditional personal computers. However, modern mobile devices are these days comparable to office PCs in terms of both performance and functionality. They’re used to interact with business-critical information, store both personal and business secrets, and can serve as access keys to work-related services. Therefore, APT groups are putting all the more effort into designing attacks on mobile operating systems.

Of course, Triangulation is not the first attack aimed at iOS devices. Everyone remembers the infamous (and, unfortunately, still ongoing) case of the commercial spyware Pegasus. There were other examples too, like Insomnia, Predator, Reign, etc. Also, it’s no wonder that APT-groups are interested in the Android OS as well. Not so long-ago news outlets wrote about an attack by the “Transparent Tribe” APT group, which used the CapraRAT backdoor against Indian and Pakistani users of this system. And in the third quarter of last year, we discovered previously unknown spyware targeting Farsi-speaking users.

All this suggests that in order to protect a company from APT attacks these days, it’s necessary to ensure the security of not only stationary equipment — servers and workstations — but also of mobile devices used in the work process.

How to improve your chances against APT attacks on mobiles

It would be wrong to assume that the default protection technologies provided by device manufacturers are enough to protect mobile devices. The Operation Triangulation case clearly shows that even Apple technologies aren’t perfect. Therefore, we recommend that businesses should always employ a multi-level protection system, which includes convenient tools allowing for mobile device control, plus systems that can monitor their network interactions.

The first line of defense should be an MDM class solution. Our Endpoint Security for Mobile, provides centralized management of mobile devices security via Kaspersky Security Center, our administration console. In addition, our solution provides protection against phishing, web threats and malware (for Android only; Apple doesn’t allow third-party antivirus solutions unfortunately).

In particular, it employs Cloud ML for Android technology to detect Android-related malware. This technology, working in KSN cloud, is based on machine learning methods. Model, trained on millions of known Android malware samples detects even previously unknown malware with high precision.

However, threat actors increasingly use mobile platforms in sophisticated targeted attacks. Therefore, it makes sense to use a system that can monitor network activity — be it security information and event management (SIEM) or some other tool that can empower your experts to handle complex cybersecurity incidents with unmatched extended detection and response, such as our Kaspersky Anti Targeted Attack Platform.

The abovementioned Operation Triangulation was discovered by our experts while monitoring a corporate Wi-Fi network using our own SIEM system Kaspersky Unified Monitoring and Analysis Platform (KUMA). In addition, our Threat Intelligence solutions are able to provide security systems and experts with up-to-date information about new threats, as well as about attacker’s techniques, tactics and procedures.