In a shocking revelation, cybersecurity experts at Kaspersky have recently uncovered a sophisticated and long-running attack campaign targeting iOS devices, code-named Operation Triangulation. This advanced persistent threat (APT) has been active since 2019, posing a significant risk to the security and privacy of iPhone users worldwide. In this blog post, we will explore the details of this alarming discovery and shed light on the potential implications of Operation Triangulation.

Operation Triangulation employs a highly sophisticated attack chain, exploiting zero-click exploits via the iMessage platform, one of the core communication channels on iOS devices. The attack begins when a user's iOS device receives a message through iMessage containing an attachment carrying the exploit.

What makes this attack particularly concerning is the zero-click nature of the exploit. This means that as soon as the message is received, the vulnerability is triggered without requiring any interaction from the user. The attackers have cleverly designed the exploit to achieve code execution seamlessly.

To further amplify their control over the compromised device, the attackers configure the exploit to retrieve additional payloads. These payloads are responsible for privilege escalation, enabling the attackers to gain root privileges, essentially giving them complete control over the infected device and the user's data.

Once the attackers have gained root privileges, they unleash a final stage malware from a remote server. Kaspersky has described this malware as a "fully-featured APT platform." The implant embedded within this malware is capable of harvesting sensitive information from the compromised device.

The implant not only collects system data but also has the ability to run code downloaded as plugin modules from the remote server. This modular approach enables the attackers to adapt the malware to their specific objectives, making it highly flexible and potent.

The harvested information is extensive and includes private data such as microphone recordings, photos from instant messengers, geolocation data, and various other user activities. The attackers covertly transmit this sensitive information to remote servers, further compromising the privacy and security of the affected users.

Kaspersky's investigation into Operation Triangulation was fueled by the discovery of traces of compromise on targeted devices. To confirm these findings, the cybersecurity experts created offline backups of the compromised iOS devices. By analyzing these backups using specialized tools, they were able to identify the presence of the sophisticated attack.

During the analysis, Kaspersky researchers found that successful exploitation attempts left a distinctive mark: the appearance of data usage lines mentioning a process named "BackupAgent." This deprecated binary should not appear in the device's timeline during regular usage. However, it is important to note that there is also a binary named "BackupAgent2," which does not indicate compromise.

Additionally, the researchers observed that the BackupAgent process was often preceded by another process called "IMTransferAgent." This agent is responsible for downloading the attachment containing the exploit. The successful execution of the exploit leads to the modification of timestamps in multiple directories within the "Library/SMS/Attachments" location. Surprisingly, the attachment itself is deleted, leaving behind only modified directories without any actual files.

Operation Triangulation serves as a stark reminder of the evolving threat landscape that iOS device users face. The discovery of this stealthy APT campaign highlights the need for constant vigilance and proactive security measures. By staying informed, adopting best practices, and leveraging reliable security solutions, iOS users can better protect their devices and personal information from sophisticated attacks like Operation Triangulation. Let us work together to ensure a safer digital environment for all.