{"id":109867,"date":"2023-06-02T12:16:15","date_gmt":"2023-06-02T12:16:15","guid":{"rendered":"https:\/\/kasperskycontenthub.com\/securelist\/?p=109867"},"modified":"2023-06-20T15:57:59","modified_gmt":"2023-06-20T15:57:59","slug":"find-the-triangulation-utility","status":"publish","type":"post","link":"https:\/\/securelist.com\/find-the-triangulation-utility\/109867\/","title":{"rendered":"In search of the Triangulation: triangle_check utility"},"content":{"rendered":"<p>In our <a href=\"https:\/\/securelist.com\/operation-triangulation\/109842\/\" target=\"_blank\" rel=\"noopener\">initial blogpost<\/a> about &#8220;Operation Triangulation&#8221;, we published a comprehensive guide on how to manually check iOS device backups for possible indicators of compromise using MVT. This process takes time and requires manual search for several types of indicators. To automate this process, we developed a dedicated utility to scan the backups and run all the checks. For Windows and Linux, this tool can be downloaded as <a href=\"https:\/\/github.com\/KasperskyLab\/triangle_check\/releases\" target=\"_blank\" rel=\"noopener\">a binary build<\/a>, and for MacOS it can be simply installed as <a href=\"https:\/\/pypi.org\/project\/triangle-check\/\" target=\"_blank\" rel=\"noopener\">a Python package<\/a>.<\/p>\n<h2 id=\"how-to-back-up-your-device\">How to back up your device<\/h2>\n<h3 id=\"windows\">Windows<\/h3>\n<p>On Windows, the easiest way to do a backup is via iTunes:<\/p>\n<ol>\n<li>Connect your device to a computer that has iTunes installed. Unlock your device and, if needed, confirm that you trust your computer.\n<div id=\"attachment_109868\" style=\"width: 414px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/06\/02120803\/triangle_check_01.png\" class=\"magnificImage\"><img aria-describedby=\"caption-attachment-109868\" decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-109868\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/06\/02120803\/triangle_check_01.png\" alt=\"\" width=\"404\" height=\"241\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/06\/02120803\/triangle_check_01.png 404w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/06\/02120803\/triangle_check_01-300x179.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/06\/02120803\/triangle_check_01-293x175.png 293w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/06\/02120803\/triangle_check_01-370x221.png 370w\" sizes=\"(max-width: 404px) 100vw, 404px\" \/><\/a><p id=\"caption-attachment-109868\" class=\"wp-caption-text\">Window asking to trust the computer<\/p><\/div><\/li>\n<li>Your device should now be displayed in iTunes. Right click on it and press &#8220;Back Up&#8221;.<br \/>\n<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/06\/02120812\/triangle_check_02.png\" class=\"magnificImage\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-109869\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/06\/02120812\/triangle_check_02.png\" alt=\"\" width=\"974\" height=\"539\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/06\/02120812\/triangle_check_02.png 974w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/06\/02120812\/triangle_check_02-300x166.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/06\/02120812\/triangle_check_02-768x425.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/06\/02120812\/triangle_check_02-270x150.png 270w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/06\/02120812\/triangle_check_02-316x175.png 316w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/06\/02120812\/triangle_check_02-370x205.png 370w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/06\/02120812\/triangle_check_02-506x280.png 506w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/06\/02120812\/triangle_check_02-800x443.png 800w\" sizes=\"(max-width: 974px) 100vw, 974px\" \/><\/a><\/li>\n<li>The created backup will be saved to the <em>%appdata%\\Apple Computer\\MobileSync\\Backup directory<\/em>.<\/li>\n<\/ol>\n<h3 id=\"macos\">macOS<\/h3>\n<p>If your macOS version is lower than Catalina (10.15), you can create a backup using iTunes, using instructions for Windows. Starting from Catalina, backups can be created through Finder:<\/p>\n<ul>\n<li>Connect your device to the computer and, if needed, confirm that you trust the computer.<\/li>\n<li>Your device should now be displayed in Finder. Select it and then click &#8220;<em>Create a backup<\/em>&#8220;.<\/li>\n<li>The created backup will be saved to the <em>~\/Library\/Application Support\/MobileSync\/Backup\/<\/em> directory.<\/li>\n<\/ul>\n<h3 id=\"linux\">Linux<\/h3>\n<p>To create a backup on Linux, you will need to install the libimobiledevice library. In order to create backups of devices with the latest versions of iOS installed, you will need to compile this library from <a href=\"https:\/\/github.com\/libimobiledevice\/libimobiledevice\" target=\"_blank\" rel=\"noopener\">source code<\/a> (you can find the build instructions in the Installation\/Getting Started section).<br \/>\nAfter you install the library and connect your device to the computer, you can create a backup using the <code style=\"color: #333\">idevicebackup2 backup --full <\/code> command.<br \/>\nDuring the backup process, you may need to enter your device passcode multiple times.<\/p>\n<h2 id=\"how-to-use-our-triangle_check-utility\">How to use our triangle_check utility<\/h2>\n<p>After you do a backup of your device using the instructions above, you will need to install and launch our triangle_check utility.<\/p>\n<h3 id=\"the-triangle_check-python-package\">The triangle_check Python package<\/h3>\n<p>No matter what operating system you have, you can install the triangle_check Python package that we have published to the Python Package Index (PyPi). To do that, you need to have internet access as well as have <a href=\"https:\/\/pip.pypa.io\/en\/stable\/installation\/\" target=\"_blank\" rel=\"noopener\">the pip utility<\/a> installed.<br \/>\nYou can install the utility using two methods:<\/p>\n<ul>\n<li>From PyPI (recommended):<br \/>\nRun the <code style=\"color: #333\">python -m pip install triangle_check<\/code> command.<\/li>\n<li>Building from Github:<br \/>\nRun the following commands:<br \/>\n<code style=\"color: #333\">git clone https:\/\/github.com\/KasperskyLab\/triangle_check<br \/>\ncd triangle_check<br \/>\npython -m build<br \/>\npython -m pip install dist\/triangle_check-1.0-py3-none-any.whl<\/code><\/li>\n<\/ul>\n<p>After installing, you can launch the utility with the following command:<br \/>\n<code style=\"color: #333\">python -m triangle_check <em>path to the created backup<\/em><\/code>.<\/p>\n<h3 id=\"binary-builds\">Binary builds<\/h3>\n<p>If you have Windows or Linux, you can also use the binary builds of the triangle_check utility that we <a href=\"https:\/\/github.com\/KasperskyLab\/triangle_check\/releases\" target=\"_blank\" rel=\"noopener\">have published on GitHub<\/a>. Follow the instructions below to use it:<br \/>\n<strong>Windows<\/strong><\/p>\n<ol>\n<li>Download the triangle_check_win.zip archive from the GitHub releases page and unpack it.<\/li>\n<li>Launch the command prompt (cmd.exe) or PowerShell.<\/li>\n<li>Change your directory to the one with the unpacked archive (e.g. <code style=\"color: #333\">cd %userprofile%\\Downloads\\triangle_check_win<\/code>).<\/li>\n<li>Launch triangle_check.exe, specifying the path to the backup as an argument (e.g. <code style=\"color: #333\">triangle_check.exe \"%appdata%\\Apple Computer\\MobileSync\\Backup\\00008101-000824411441001E-20230530-143718\" <\/code>).<\/li>\n<\/ol>\n<p><strong>Linux<\/strong><\/p>\n<ol>\n<li>Download the triangle_check_win.zip archive from the GitHub releases page and unpack it.<\/li>\n<li>Launch the terminal.<\/li>\n<li>Change your directory to the one with the unpacked archive (e.g. <code style=\"color: #333\">cd ~\/Downloads\/triangle_check_linux<\/code>).<\/li>\n<li>Allow the utility to be executed with the <code style=\"color: #333\">chmod +x triangle_check<\/code> command.<\/li>\n<li>Launch the utility, specifying the path to the backup as an argument (e.g. <code style=\"color: #333\">.\/triangle_check  ~\/Desktop\/my_backup\/00008101-000824411441001E-20230530-143718 <\/code>).<\/li>\n<\/ol>\n<h2 id=\"interpreting-the-results\">Interpreting the results<\/h2>\n<p>The utility outputs &#8220;<span style=\"color:red\">DETECTED<\/span>&#8221; when it locates specific indicators of compromise, and that would mean that the device was infected.<br \/>\nAlso, it may print out &#8220;<span style=\"color:orange\">SUSPICION<\/span>&#8221; that would mean that a combination of less specific indicators points to a likely infection. Finally, if the message displayed is &#8220;<span style=\"color:green\">No traces of compromise were identified<\/span>&#8220;, then the utility did not find any signs of &#8216;Operation Triangulation&#8217; compromise.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We developed a dedicated utility to scan the iOS backups and run all the checks for Operation Triangulation indicators.<\/p>\n","protected":false},"author":266,"featured_media":109872,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[119],"tags":[3889,3624,4473],"banners":"","hreflang":[{"hreflang":"x-default","url":"https:\/\/securelist.com\/find-the-triangulation-utility\/109867\/"},{"hreflang":"ru","url":"https:\/\/securelist.ru\/find-the-triangulation-utility\/107494\/"}],"_links":{"self":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/109867"}],"collection":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/users\/266"}],"replies":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/comments?post=109867"}],"version-history":[{"count":17,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/109867\/revisions"}],"predecessor-version":[{"id":110059,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/109867\/revisions\/110059"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/media\/109872"}],"wp:attachment":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/media?parent=109867"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/categories?post=109867"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/tags?post=109867"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}