“While monitoring the network traffic of our own corporate Wi-Fi network dedicated for mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), we noticed suspicious activity that originated from several iOS-based phones. We are calling this campaign “Operation Triangulation.””We identified that the latest version of iOS that was targeted by Triangulation is 15.7. However, given the sophistication of the cyberespionage campaign and the complexity of analysis of iOS platform, we can’t guarantee that other versions of iOS are not affected.”‘Operation Triangulation’ general infection sequence:
1. The target iOS device receives a message via the iMessage service, with an attachment containing an exploit.
2. Without any user interaction, the message triggers a vulnerability that leads to code execution.
3. The code within the exploit downloads several subsequent stages from the C&C server, that include additional exploits for privilege escalation.
4. After successful exploitation, a final payload is downloaded from the C&C server, that is a fully-featured APT platform.
5. The initial message and the exploit in the attachment is deleted.”The analysis of the final payload is not finished yet. The code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C&C server.””It is important to note, that, although the malware includes portions of code dedicated specifically to clear the traces of compromise, it is possible to reliably identify if the device was compromised.””Furthermore, if a new device was set up by migrating user data from an older device, the iTunes backup of that device will contain the traces of compromise that happened to both devices, with correct timestamps.”See the full article for instructions on how to check if your iOS device was compromised using the Triangulation exploit.