Hackers Launch a Chain of Exploits Via Malicious iMessage Attachments

In June, a brand new campaign targeting iPhone and iPad devices used to be named “TriangleDB.” This malware infection chain contains a malicious iMessage attachment, which launches a sequence of exploits on the affected devices.

Moreover, several modules were found in this malware, which can moreover originate extra modules. As antagonistic to the infection chain, there were two validators: “JavaScript validator” and “Binary Validator.”

These validators fetch a pair of files from the focused devices and switch them to a C2 server, later inclined by threat actors to entry the compromised devices and detect if the software used to be a take a look at software or a sufferer software.

JavaScript Validator

As properly as to this, this malware is a nil-click exploit that is completed by invisible iMessage attachments. The principle motive of this JS validator is to stealthily delivery a a quantity of URL to the area backuprabbit[.]com.

This web protest online contains an obfuscated JavaScript code of the NaCl cryptography library and an encrypted payload. This JS code performs a Canvas Fingerprinting formula by drawing a yellow triangle on a crimson background with WebGL and calculating its checksum.

It indirectly encrypts and transfers the mild files to the equivalent to obtain the next stage of the infection chain.

Binary Validator

This validator is launched sooner than the installation of the TriangleDB implant. The Binary validator is liable for break log removal, ids-pub-id.db or knowledge.db removal, turning on personalised ad tracking, and plenty extra and plenty extra.

After gathering all this files, it sends encrypted files (listing of processes, person files, etc.) to the C2 server.

Additionally, this malware can mumble microphones, Keychain exfiltration, steal SQLite, and music location.

Log Impress

After the implant establishes communication with its C2, it receives a pair of CRXShowTables and CRXFetchRecord commands, that are related with log retrieving and reward traces of the infection. The logs like Shatter log recordsdata, Database recordsdata, and others.

Microphone Recording

This module is named as “msu3h” and is thought of as one of the famous crucial invading modules of this malware. Nevertheless, this module performs extra actions simplest when the payment of the affected software is bigger than 10%.

As properly as to this, it moreover contains extra parameters fancy suspendOnDeviceInUse (end recording remotely) and syslogRelayOverride (if audio should always be recorded if machine logs are captured).

Keychain Exfiltration

This module used to be fully per the code from the iphone-dataprotection.keychainviewer project, nonetheless the knowledge on why the threat actor has implemented this module even within the presence of the same modules is already unknown.

SQLite stealing

Internal files of many iOS apps use SQLite database, so the threat actor has implemented several modules for SQLite DB stealing. Your total SQLite DB stealing modules like the similar codebase and encrypted configuration.

A complete mumble about this malware has been published by SecureList, which affords detailed details about this TriangleDB implant.