The campaign, according to Kaspersky, leveraged multiple flaws in iOS that allowed it to run in memory and gain root privilege. There were no persistence methods identified, but looking at how most people use their phones, the likelihood of a reboot for any reason (other than forced) is small. This means that the malware can run happily in memory for a considerable time. TriangleBD was written in Objective-C and is the core component of the campaign. TriangleBD establishes communication with the C2 servers and maintains the communication via a heartbeat as long as the malware is resident in memory.
It is important to note that the combination of flaws leveraged for this campaign made it so the malware could be installed without any user interaction. The message was “an invisible iMessage with a malicious attachment, which, using a number of vulnerabilities in the iOS operating system, is executed on a device and installs spyware,” This means that a targeted user did not have to click on anything for the malware to be installed. This makes the combined flaws extremely dangerous even in an organization where security training (anti-phishing/smishing) is well established. The reason for this is that most organizations allow for people to bring their own device and do not install any anti-malware tools on them to prevent pivots to memory like we see with Triangle. On the security side there are not many MDR/EDR for mobile devices that are designed to investigate or even look at memory on a phone. This leaves these devices very open to attack and compromise and represent one of the largest overlooked exposures for organizations of any size.
Looking deeper into the malware in question seems to show another tool that might have a broader reach than initially anticipated. There were references to macOS as well as other permission requests that are not covered in the existing samples. The request for permissions and the identification the macOS references makes it likely that this malware will be getting upgraded or have modules that could be deployed after the initial infection to make it more functional for the threat group using this tool.
There is still no indication of who is behind the malware, although Russia is pointing the finger at a US/Apple cooperation. The good news is that Apple has patched the two primary flaws used in this attack (CVE-2023-32434 and CVE-2023-32435 kernel and WebKit respectively). Apple and other security firms recommend an immediate update to any Apple device running iOS 15.7 or older. Happy Patching!