In June 2023, an unknown threat actor leveraged two zero-days to deliver malicious attachments over iMessage. The TriangleDB implant enabled the threat actor to record audio, extract iCloud Keychain information, estimate a device’s location, and steal data from SQLite databases. Cybersecurity firm Kaspersky recently discovered that two validator stages preceded these Operation Triangulation attacks.

Before the attacker deployed TriangleDB on victim iOS devices, they first executed JavaScript Validator and Binary Validator to survey target machines. The validators helped the threat actor avoid interaction with research devices that could burn their zero-day and implant. The threat actor first sent an invisible iMessage attachment that opened a URL containing the Javascript validator and an encrypted payload. After checking for Media Source API and WebAssembly, the threat actor then delivered the Binary Validator that covered its own tracks, checked if the device was jailbroken, turned on personalized ad tracking, and gathered general information about the device. The operation took extreme caution to avoid detection and select the best targets.

Read More:

https://thehackernews.com/2023/10/operation-triangulation-experts-uncover.html