Apple squashes kernel bug used by TriangleDB spyware

Whoever is infecting people's iPhones with the TriangleDB spyware may be targeting macOS computers with similar malware, according to Kaspersky researchers.

In the security shop's ongoing analysis of the smartphone snooping campaign – during which attackers exploit a kernel vulnerability to obtain root privileges and install TriangleDB on victims' handsets – Kaspersky analysts uncovered 24 commands provided by the malware that can be used for a range of illicit activities; everything from stealing data, to tracking the victim's geolocation, and terminating processes.

TriangleDB is the mystery spyware that Kaspersky found running on its own management's devices.

The analysts also spotted a method named populateWithFieldsMacOSOnly in the class CRConfig, which is used to store the implant's configuration. That function isn't used when the code is deployed on a target's iPhone, though suggests there is a macOS variant or build of the spyware, we're told.

"This method is not called anywhere in the iOS implant; however, its existence means that macOS devices can also be targeted with a similar implant," Georgy Kucherin, Leonid Bezvershenko, and Igor Kuznetsov wrote in research published today.

Also today, Apple pushed software updates to fix the kernel vulnerability uncovered by the Kaspersky researchers during their TriangleDB analysis. The updates patch CVE-2023-32434 across nearly every iPhone and iPad model as well as Apple Watches series 3 and later, and computers running macOS Ventura, Monterey, and Big Sur. 

Apple credits Kucherin, Bezvershenko, and Kuznetsov with finding the flaw, and the release notes acknowledge that "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7."

While Kaspersky's initial analysis of the spyware campaign found no indication of the exploit successfully compromising devices running versions of iOS since iOS 15.7, a deeper dive into the exploitation chain found that the later stages of the exploit process still worked.

Today's fixes ensure that those later stages can't be used in separate attacks, according to an Apple spokesperson. The patches also address another vulnerability: a flaw in Webkit (CVE-2023-32439) in iOS and macOS that was reported by an anonymous source and may have been exploited in the wild, too.

Interestingly enough, Apple's updates additionally close CVE-2023-32435, another exploited code-execution hole in WebKit that was reported by the Kaspersky trio but isn't mentioned in their write-up; just the kernel bug was referenced.

Operation Triangulation

Kaspersky said on June 1 it discovered TriangleDB, a previously unknown spyware, on "several dozen" iPhones belonging to the Russian infosec giant's top and middle-management. It dubbed the espionage campaign Operation Triangulation.

Also on June 1, Russian intelligence accused American snoops and Apple of working together to backdoor iPhones to spy on "thousands" of diplomats worldwide. The Kremlin's Federal Security Service (FSB) provided no proof alongside these allegations. At the time, a Kaspersky spokesperson told The Register it was aware of the FSB's claims, but couldn't say if the two things — America allegedly backdooring iPhones, and the spyware found on several Kaspersky devices — were linked.

Since the initial Triangulation report, Kaspersky has released a triangle_check utility that automatically searches equipment for infections of the snoopware. 

• Kremlin claims Apple helped NSA spy on diplomats via iPhone backdoor
• Third MOVEit bug fixed a day after PoC exploit made public
• June Patch Tuesday: VMware vuln under attack by Chinese spies, Microsoft kinda meh
• Chinese spies blamed for data-harvesting raids on Barracuda email gateways

Today's research follows a six-month investigation into the operation as well as a deep analysis of the exploitation chain. 

When asked if the implant has been detected on iPhones belonging to non-Kaspersky employees, a spokesperson told The Register: "It's important to note that we can only disclose information about those infections detected by us within the attack on Kaspersky employees."

The researchers still haven't attributed the snooping campaign to any particular crew or nation. "Judging by the cyberattack characteristics, we're unable to link this cyberespionage campaign to any existing threat actor," the spokesperson added.

Here's what the team uncovered about TriangleDB. 

Deep dive into TriangleDB

As they discussed previously, exploitation starts with an iMessage containing a malicious attachment; simply receiving that message is enough to infect a vulnerable iOS device. The message's payload is designed to eventually exploit a kernel-level security hole to gain root privileges, allowing complete control over the system. The code appears to be written in Objective-C.

The code deploys the TriangleDB spyware in memory, so the snoops have to reinfect a target device if the victim reboots their iPhone. If there's no reboot, the implant removes itself after 30 days unless the attacker extends it.

After it launches, the malware begins communicating with a command-and-control server using the Protobuf library. All messages are encrypted with 3DES and RSA via HTTPS connections. 

The implant sends heartbeat pings to the C2 server with system information, and the server responds to these messages with commands, all of which have names starting with CRX.

Kaspersky's researchers analyzed two dozen of these commands, and said they can be used to make the spyware interact with processes and the filesystem to create and remove files. These commands can also monitor the iPhone's geolocation and dump a victim's keychain items, which allows attackers to harvest credentials. Plus, they can run additional modules, which, again, are only stored in memory.

It's also worth noting that the implant requests multiple permissions from the operating system, and some of these are not used in the code. This includes access to the device's camera, microphone and address book, along with permission to interact with other devices via Bluetooth.

Kaspersky says this likely means that these functionalities are implemented in modules. ®