Now Reading
Operation Triangulation: iOS gadgets focused with beforehand unknown malware

Operation Triangulation: iOS gadgets focused with beforehand unknown malware

2023-06-01 09:07:54

Whereas monitoring the community site visitors of our personal company Wi-Fi community devoted for cell gadgets utilizing the Kaspersky Unified Monitoring and Evaluation Platform (KUMA), we observed suspicious exercise that originated from a number of iOS-based telephones. Since it’s unimaginable to examine fashionable iOS gadgets from the within, we created offline backups of the gadgets in query, inspected them utilizing the Cellular Verification Toolkit’s mvt-ios and found traces of compromise.
We’re calling this marketing campaign “Operation Triangulation”, and all of the associated data now we have on it is going to be collected on the Operation Triangulation page. In case you have any further particulars to share, please contact us: triangulation[at]

What we all know up to now

Cellular system backups comprise a partial copy of the filesystem, together with a few of the person information and repair databases. The timestamps of the recordsdata, folders and the database information enable to roughly reconstruct the occasions occurring to the system. The mvt-ios utility produces a sorted timeline of occasions right into a file referred to as “timeline.csv”, much like a super-timeline utilized by typical digital forensic instruments.
Utilizing this timeline, we had been in a position to establish particular artifacts that point out the compromise. This allowed to maneuver the analysis ahead, and to reconstruct the final an infection sequence:

  • The goal iOS system receives a message by way of the iMessage service, with an attachment containing an exploit.
  • With none person interplay, the message triggers a vulnerability that results in code execution.
  • The code inside the exploit downloads a number of subsequent phases from the C&C server, that embody further exploits for privilege escalation.
  • After profitable exploitation, a closing payload is downloaded from the C&C server, that may be a fully-featured APT platform.
  • The preliminary message and the exploit within the attachment is deleted

The malicious toolset doesn’t assist persistence, most definitely because of the limitations of the OS. The timelines of a number of gadgets point out that they might be reinfected after rebooting. The oldest traces of an infection that we found occurred in 2019. As of the time of writing in June 2023, the assault is ongoing, and the latest model of the gadgets efficiently focused is iOS 15.7.
The evaluation of the ultimate payload is just not completed but. The code is run with root privileges, implements a set of instructions for gathering system and person data, and might run arbitrary code downloaded as plugin modules from the C&C server.

Forensic methodology

You will need to word, that, though the malware contains parts of code devoted particularly to clear the traces of compromise, it’s attainable to reliably establish if the system was compromised. Moreover, if a brand new system was arrange by migrating person information from an older system, the iTunes backup of that system will comprise the traces of compromise that occurred to each gadgets, with right timestamps.


All potential goal gadgets have to be backed up, both utilizing iTunes, or an open-source utility idevicebackup2 (from the package deal libimobiledevice). The latter is shipped as a pre-built package deal with the preferred Linux distributions, or might be constructed from the supply code for MacOS/Linux.
To create a backup with idevicebackup2, run the next command:
idevicebackup2 backup --full $backup_directory

Chances are you’ll must enter the safety code of the system a number of instances, and the method could take a number of hours, relying on the quantity of person information saved in it.

Set up MVT

As soon as the backup is prepared, it needs to be processed by the Cellular Verification Toolkit. If Python 3 is put in within the system, run the next command:
pip set up mvt

A extra complete set up guide is offered the MVT homepage.

Optionally available: decrypt the backup

If the proprietor of the system has arrange encryption for the backup beforehand, the backup copy will likely be encrypted. In that case, the backup copy needs to be decrypted earlier than operating the checks:
mvt-ios decrypt-backup -d $decrypted_backup_directory $backup_directory

Parse the backup utilizing MVT

mvt-ios check-backup -o $mvt_output_directory $decrypted_backup_directory
This command will run all of the checks by MVT, and the output listing will comprise a number of JSON and CSV recordsdata. For the methodology described on this blogpost, you’ll need the file referred to as timeline.csv.

Test timeline.csv for indicators

  1. The only most dependable indicator that we found is the presence of information utilization traces mentioning the method named “BackupAgent”. This can be a deprecated binary that ought to not seem within the timeline throughout common utilization of the system. Nevertheless, it is very important word that there’s additionally a binary named “BackupAgent2”, and that’s not an indicator of compromise. In lots of circumstances, BackupAgent is preceded by the method “IMTransferAgent”, that downloads the attachment that occurs to be an exploit, and this results in modification of the timestamps of a number of directories within the “Library/SMS/Attachments”. The attachment is then deleted, leaving solely modified directories, with out precise recordsdata inside them:
    2022-09-13 10:04:11.890351Z Datausage IMTransferAgent/ (Bundle ID:, ID: 127) WIFI IN: 0.0, WIFI OUT: 0.0 - WWAN IN: 76281896.0, WWAN OUT: 100956502.0
    2022-09-13 10:04:54.000000Z Manifest Library/SMS/Attachments/65/05 - MediaDomain
    2022-09-13 10:05:14.744570Z Datausage BackupAgent (Bundle ID: , ID: 710) WIFI IN: 0.0, WIFI OUT: 0.0 - WWAN IN: 734459.0, WWAN OUT: 287912.0
  2. There are additionally much less dependable indicators, which may be handled as IOCs if a number of of them occurred inside a timeframe of minutes:
    • Modification of 1 or a number of recordsdata:,,
    • Knowledge utilization data of the providers, powerd/, lockdownd/

    2021-10-30 16:35:24.923368Z Datausage IMTransferAgent/ (Bundle ID:, ID: 945) WIFI IN: 0.0, WIFI OUT: 0.0 - WWAN IN: 31933.0, WWAN OUT: 104150.0
    2021-10-30 16:35:24.928030Z Datausage IMTransferAgent/ (Bundle ID:, ID: 945)
    2021-10-30 16:35:24.935920Z Datausage IMTransferAgent/ (Bundle ID:, ID: 946) WIFI IN: 0.0, WIFI OUT: 0.0 - WWAN IN: 47743.0, WWAN OUT: 6502.0
    2021-10-30 16:35:24.937976Z Datausage IMTransferAgent/ (Bundle ID:, ID: 946)
    2021-10-30 16:36:51.000000Z Manifest Library/Preferences/ - HomeDomain
    2021-10-30 16:36:51.000000Z Manifest Library/Preferences/ - RootDomain

    One other instance: modification of an SMS attachment listing (however no attachment filename), adopted by information utilization of, adopted by modification of All of the occasions occurred inside a 1-3 minute timeframe, indicating the results of a profitable zero-click compromise by way of an iMessage attachment, adopted by the traces of exploitation and malicious exercise.
    2022-09-11 19:52:56.000000Z Manifest Library/SMS/Attachments/98 - MediaDomain
    2022-09-11 19:52:56.000000Z Manifest Library/SMS/Attachments/98/08 - MediaDomain
    2022-09-11 19:53:10.000000Z Manifest Library/SMS/Attachments/98/08 - MediaDomain
    2022-09-11 19:54:51.698609Z OSAnalyticsADDaily WIFI IN: 77234150.0, WIFI OUT: 747603971.0 - WWAN IN: 55385088.0, WWAN OUT: 425312575.0
    2022-09-11 19:54:51.702269Z Datausage (Bundle ID: , ID: 1125)
    2022-09-11 19:54:53.000000Z Manifest Library/Preferences/ - HomeDomain
    2022-06-26 18:21:36.000000Z Manifest Library/SMS/Attachments/advert/13 - MediaDomain
    2022-06-26 18:21:36.000000Z Manifest Library/SMS/Attachments/advert - MediaDomain
    2022-06-26 18:21:50.000000Z Manifest Library/SMS/Attachments/advert/13 - MediaDomain
    2022-06-26 18:22:03.412817Z OSAnalyticsADDaily WIFI IN: 19488889.0, WIFI OUT: 406382282.0 - WWAN IN: 66954930.0, WWAN OUT: 1521212526.0
    2022-06-26 18:22:16.000000Z Manifest Library/Preferences/ - RootDomain
    2022-06-26 18:22:16.000000Z Manifest Library/Preferences/ - HomeDomain
    2022-03-21 21:37:55.000000Z Manifest Library/SMS/Attachments/fc - MediaDomain
    2022-03-21 21:37:55.000000Z Manifest Library/SMS/Attachments/fc/12 - MediaDomain
    2022-03-21 21:38:08.000000Z Manifest Library/SMS/Attachments/fc/12 - MediaDomain
    2022-03-21 21:38:23.901243Z OSAnalyticsADDaily WIFI IN: 551604.0, WIFI OUT: 6054253.0 - WWAN IN: 0.0, WWAN OUT: 0.0
    2022-03-21 21:38:24.000000Z Manifest Library/Preferences/ - HomeDomain

  3. A fair much less implicit indicator of compromise is incapacity to put in iOS updates. We found malicious code that modifies one of many system settings file named We noticed replace makes an attempt to finish with an error message “Software program Replace Failed. An error ocurred downloading iOS”.

Community exercise throughout exploitation

On the community degree, a profitable exploitation try might be recognized by a sequence of a number of HTTPS connection occasions. These might be found in netflow information enriched with DNS/TLS host data, or PCAP dumps:

  • Reliable community interplay with the iMessage service, often utilizing the domains *
  • Obtain of the iMessage attachment, utilizing the domains, content
  • A number of connections to the C&C domains, often 2 totally different domains (the listing of recognized domains follows). Typical netflow information for the C&C classes will present community classes with important quantity of outgoing site visitors.

See Also

Community exploitation sequence, Wireshark dump

The iMessage attachment is encrypted and downloaded over HTTPS, the one implicit indicator that can be utilized is the quantity of downloaded information that’s about 242 Kb.

Encrypted iMessage attachment, Wireshark dump

C&C domains

Utilizing the forensic artifacts, it was attainable to establish the set of area identify utilized by the exploits and additional malicious phases. They can be utilized to examine the DNS logs for historic data, and to establish the gadgets at present operating the malware:

Source Link

What's Your Reaction?
In Love
Not Sure
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top