Experts reveal more info on this dangerous hacking tactic targeting your iPhone
Cybersecurity researchers at Kaspersky have revealed more details about TriangleDB, a piece of malware that targeted a zero-day vulnerability recently discovered in the iOS operating system.
In a detailed technical article, Kaspersky says that the malware contains at least four different modules that allow it to record sound using the device’s integrated microphone, extract the iCloud keychain, steal data from SQLite databases, and even track the location of the device can triangulate via GSM (not GPS).
If GPS data is not available, the module responsible for tracking the victim’s location uses the Mobile Country Code (MCC), Mobile Network Code (MNC) and Location Area Code (LAC) to determine the exact location of the device . Whoever built the malware has also gone to great lengths to ensure they go unnoticed. For example, the microphone module stops working if the victim turns on the screen, or if the battery drops below 10%. The malware also performs some checks before running to ensure it has not been installed in a research environment.
Advanced Persistent Threats
When it comes to the identity of the attackers, it is still a mystery until now. The campaign is called Operation Triangulation, and although the identity is unknown, Kaspersky described the operators as a “fully equipped advanced persistent threat (APT)”.
APTs are often associated with (state-sponsored) threat actors charged with government or corporate espionage and data theft.
To deploy the malware, the hackers took advantage of zero-day vulnerabilities on iOS, tracked as CVE-2023-32434 and CVE-2023-32435. By sending a specially crafted message through the iMessage platform, the attackers were able to take full control of both the endpoint and user data without requiring any interaction from the victim.
“The adversary behind Triangulation has done everything possible to avoid detection,” the researchers said. “The attackers also demonstrated a deep understanding of iOS’s internal functions as they used undocumented private APIs during the attack.”
Through The HackerNews