{"id":110050,"date":"2023-06-21T10:00:57","date_gmt":"2023-06-21T10:00:57","guid":{"rendered":"https:\/\/kasperskycontenthub.com\/securelist\/?p=110050"},"modified":"2023-06-21T14:58:17","modified_gmt":"2023-06-21T14:58:17","slug":"triangledb-triangulation-implant","status":"publish","type":"post","link":"https:\/\/securelist.com\/triangledb-triangulation-implant\/110050\/","title":{"rendered":"Dissecting TriangleDB, a Triangulation spyware implant"},"content":{"rendered":"
Over the years, there have been multiple cases when iOS devices were infected with targeted spyware such as Pegasus, Predator, Reign and others. Often, the process of infecting a device involves launching a chain of different exploits, e.g. for escaping the iMessage sandbox while processing a malicious attachment, and for getting root privileges through a vulnerability in the kernel. Due to this granularity, discovering one exploit in the chain often does not result in retrieving the rest of the chain and obtaining the final spyware payload. For example, in 2021, analysis of iTunes backups helped to discover an attachment containing the FORCEDENTRY<\/a> exploit. However, during post-exploitation, the malicious code downloaded a payload from a remote server that was not accessible at the time of analysis. Consequently, the analysts lost<\/a> “the ability to follow the exploit.”<\/p>\n In researching Operation Triangulation, we set ourselves the goal to retrieve as many parts of the exploitation chain as possible. It took about half a year to accomplish that goal, and, after the collection of the chain had been completed, we started an in-depth analysis of the discovered stages. As of now, we have finished analyzing the spyware implant and are ready to share the details.<\/p>\n