In June, a new campaign targeting iPhone and iPad devices was named “TriangleDB.” This malware infection chain consists of a malicious iMessage attachment, which launches a chain of exploits on the affected devices.
Moreover, several modules were found in this malware, which could also execute additional modules. Excluding the infection chain, there were two validators: “JavaScript validator” and “Binary Validator.”
These validators collect multiple information from the targeted devices and transfer them to a C2 server, later used by threat actors to access the compromised devices and detect if the device was a test device or a victim device.
JavaScript Validator
In addition to this, this malware is a zero-click exploit that is executed through invisible iMessage attachments. The main purpose of this JS validator is to stealthily open a unique URL to the domain backuprabbit[.]com.
This website contains an obfuscated JavaScript code of the NaCl cryptography library and an encrypted payload. This JS code performs a Canvas Fingerprinting technique by drawing a yellow triangle on a pink background with WebGL and calculating its checksum.
It finally encrypts and transfers the collected data to the same to receive the next stage of the infection chain.
Binary Validator
This validator is launched before the installation of the TriangleDB implant. The Binary validator is responsible for crash log removal, ids-pub-id.db or knowledge.db removal, turning on personalized ad tracking, and much more.
After collecting all this information, it sends encrypted data (list of processes, user information, etc.) to the C2 server.
Additionally, this malware can record microphones, Keychain exfiltration, steal SQLite, and monitor location.
Log Trace
After the implant establishes communication with its C2, it receives multiple CRXShowTables and CRXFetchRecord commands, which are associated with log retrieving and show traces of the infection. The logs contain Crash log files, Database files, and others.
Microphone Recording
This module is named as “msu3h” and is one of the most invading modules of this malware. However, this module performs more actions only when the charge of the affected device is higher than 10%.
In addition to this, it also contains more parameters like suspendOnDeviceInUse (stop recording remotely) and syslogRelayOverride (if audio should be recorded if system logs are captured).
Keychain Exfiltration
This module was entirely based on the code from the iphone-dataprotection.keychainviewer project, but the information on why the threat actor has implemented this module even in the presence of similar modules is already unknown.
SQLite stealing
Internal data of many iOS apps use SQLite database, so the threat actor has implemented several modules for SQLite DB stealing. All the SQLite DB stealing modules have the same codebase and encrypted configuration.
A complete report about this malware has been published by SecureList, which provides detailed information about this TriangleDB implant.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.