Researchers from Kaspersky analyzed Operation Triangulation, a campaign targeting iOS devices by delivering exploits via iMessage attachments and loading stages from a C2 server to deploy a full APT platform. The operation has been ongoing since at least 2019 and can be traced through offline device backups and timeline artifacts, culminating in a non-persistent but reinfectable compromise on iOS 15.7 as of June 2023. #OperationTriangulation #Kaspersky #iMessage #IMTransferAgent #BackupAgent #BackupAgent2 #C2 #iOS
Keypoints
- Operation Triangulation targets iOS devices via iMessage attachments delivering exploits without user interaction.
- Infection sequence: an iMessage with an exploit triggers zero-click code execution, followed by downloading additional exploit stages from a C2 server and a final payload that provides an APT platform.
- The malware does not persist across reboots, but devices may be reinfected; earliest traces date back to 2019, and the attack remained active through at least June 2023 targeting iOS 15.7.
- Forensic methodology relies on offline backups and the Mobile Verification Toolkit (MVT) with timeline.csv to reconstruct events and identify compromise artifacts.
- Indicators of compromise include data-usage patterns involving BackupAgent and IMTransferAgent, modifications to Library/SMS/Attachments, and signs of failed iOS updates.
- Network indicators show encrypted iMessage delivery over HTTPS, iMessage-related domains (e.g., ess.apple.com), iCloud-content domains, and multiple C2 domains observed in artifacts.
MITRE Techniques
- [T1203] Exploitation for Client Execution β The target iOS device receives a message via the iMessage service, with an attachment containing an exploit, and without any user interaction, the message triggers a vulnerability that leads to code execution. βthe target iOS device receives a message via the iMessage service, with an attachment containing an exploit, and without any user interaction, the message triggers a vulnerability that leads to code execution.β
- [T1068] Exploitation for Privilege Escalation β The code within the exploit downloads several subsequent stages from the C&C server, that include additional exploits for privilege escalation. βdownloads several subsequent stages from the C&C server, that include additional exploits for privilege escalation.β
- [T1070] Indicator Removal on Host β The malware includes portions of code dedicated specifically to clear the traces of compromise. βThe malware includes portions of code dedicated specifically to clear the traces of compromise.β
- [T1082] System Information Discovery β The final payload is run with root privileges, implements a set of commands for collecting system and user information. βthe code is run with root privileges, implements a set of commands for collecting system and user information.β
- [T1071.001] Web Protocols β The iMessage attachment is encrypted and downloaded over HTTPS, followed by multiple connections to the C&C domains. βThe iMessage attachment is encrypted and downloaded over HTTPS, and there are multiple connections to the C&C domains.β
Indicators of Compromise
- [Domain] C2 domains β addatamarket.net, backuprabbit.com, and 13 more domains
- [File name] Forensic artifacts β timeline.csv, com.apple.ImageIO.plist, and 13 more files
- [Process name] Data/usage indicators β BackupAgent, IMTransferAgent
Read more: https://securelist.com/operation-triangulation/109842/