Keypoints
- Infection chain: zero-click iMessage exploit opens a unique backuprabbit[.]com URL that hosts obfuscated NaCl JS and an encrypted JavaScript validator.
- JavaScript Validator fingerprints the device (API availability, arithmetic quirks, WebGL Canvas fingerprinting) and posts encrypted results to backuprabbit for C2 decisioning.
- Binary Validator (Mach-O) decrypts a plist configuration and executes actions such as DeleteLogs, DeleteArtifacts, ProcessList, InterfaceList, JailbreakDetect, DeviceInfo and InstalledApps before requesting the TriangleDB implant.
- Validator actions include searching/removing traces from crash logs and DBs (ids-pub-id.db, knowledgeC.db) and contain 40 MD5 hashes representing attacker Apple IDs used to send malicious iMessages.
- TriangleDB implant issues commands (CRXShowTables, CRXFetchRecord, CRXPollRecords, CRXUpdateRecord, CRXRunRecord) to retrieve logs, upload module outputs, delete evidence, and deploy/execute modules.
- Modules include microphone recording (msu3h: Speex compression, AES encryption, configurable stop conditions), keychain exfiltration (iphone-dataprotection-based), SQLite-stealing modules (versioned branches for iOS <8, 8β9, β₯9), and a location module that uses GPS and GSM (MCC/MNC/LAC/CID) techniques.
- Exfiltrated files are filtered by filename patterns (regular expressions) in /private/var/tmp and the operators periodically poll and remove collected forensic artifacts to avoid detection.
MITRE Techniques
- No MITRE ATT&CK technique identifiers or technique names are explicitly mentioned in the article; the report describes device fingerprinting, data collection, local artifact removal, and exfiltration behaviors but does not map them to TIDs.
Indicators of Compromise
- [Domain] validator/C2 hosting β backuprabbit[.]com (unique URLs used to deliver JS validator and receive fingerprinting data)
- [File hashes] module binaries β MD5 527bb38d4716c019b65da64d0f851a70 (keychain module), MD5 ac2444e7f7b0a4b084ad8c9ae8ac26c8 (microphone module), and other module hashes (see article for SHA-1/SHA-256 values)
- [Email / Apple IDs] attacker account indicators β travislong544[at]yahoo.com (example from cracked MD5 list), norsarall87[at]outlook.com (and many other attacker-controlled Apple ID addresses listed)
- [File paths / databases] forensic/tracking artefacts β /private/var/mobile/Library/Logs/CrashReporter, /private/var/mobile/Library/IdentityServices/ids-gossip.db, /private/var/tmp (modules place execution outputs there)
- [Filename patterns] exfiltration filters β ^(kng|dky).+.dat$ (location data), ^sr6d.+.(dat|srm)$ (microphone recordings), ^S5L.+.kcd$ (keychain), and other regex patterns used by the implant to select files
Early in the chain a zero-click iMessage exploit opens a unique backuprabbit[.]com URL hosting obfuscated NaCl JS and an encrypted JavaScript validator. That JS performs capability and arithmetic checks (e.g., Math.log(-1), Math.sqrt(-1)), tests for WebAssembly, Media Source API, and uses WebGL canvas fingerprinting (draws a colored triangle and reads pixels) to derive a device fingerprint; the validator encrypts and POSTs these measurements to C2 to determine whether to proceed.
The Binary Validator is a Mach-O that decrypts an AES-encrypted plist configuration listing actions (DeleteLogs, DeleteArtifacts, ProcessList, InterfaceList, JailbreakDetect, EnableAdTracking, DeviceInfo, InstalledApps). It enumerates processes and network interfaces, checks for a wide range of jailbreak indicators (Pangu, xCon, Evasion7, Electra, unc0ver, checkra1n, etc.), removes crash logs and traces of the malicious iMessage from local DBs (ids-pub-id.db, knowledgeC.db), toggles personalized ad tracking, collects user/device identifiers (username, phone, IMEI, Apple ID), and supports both iOS and macOS code paths; an unused PSPDetect action can test presence of specified files (presumably to detect security products).
After the implant (TriangleDB) is delivered, operators use commands (CRXShowTables, CRXFetchRecord) to pull logs and DBs, delete them locally, and schedule periodic exfil via CRXPollRecords. Modules are delivered with CRXUpdateRecord/CRXRunRecord and include: msu3h microphone recorder (Audio Queue API, Speex compression, AES encryption, configurable duration and stop conditions such as suspendOnDeviceInUse or syslogRelayOverride), a keychain exfiltration module derived from iphone-dataprotection.keychainviewer, multiple SQLite-stealing modules (same codebase with different SQL queries and three branches for iOS version ranges, extracting items like knowledgeC.db usage and photo metadata including face/gender/age OCR text), and a location module that impersonates authorized bundles and supplements GPS with GSM MCC/MNC/LAC/CID data. Exfiltrated outputs are written to /private/var/tmp and filtered by filename regexes before upload to C2.
Read more: https://securelist.com/triangulation-validators-modules/110847/