{"id":32151,"date":"2023-06-27T15:03:46","date_gmt":"2023-06-27T04:03:46","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/triangledb-mobile-apt\/32151\/"},"modified":"2023-06-27T15:03:46","modified_gmt":"2023-06-27T04:03:46","slug":"triangledb-mobile-apt","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/triangledb-mobile-apt\/32151\/","title":{"rendered":"TriangleDB: the spyware implant of Operation Triangulation"},"content":{"rendered":"<p>Not so long ago, our technologies <a href=\"https:\/\/www.kaspersky.com\/blog\/triangulation-attack-on-ios\/48353\/\" target=\"_blank\" rel=\"noopener nofollow\">detected<\/a> a new APT attack on iPhones. The attack was part of a campaign aimed at, among others, Kaspersky employees. Unknown attackers used an iOS kernel vulnerability to deploy a spyware implant dubbed TriangleDB in the device\u2019s memory. Our experts have been able to study this implant thoroughly.<\/p>\n<h2>What can the TriangleDB implant do?<\/h2>\n<p>Studying this implant was no easy task, since it works only in the phone\u2019s memory \u2014 leaving no traces in the system. That is, the reboot completely wipes all traces of the attack, and the malware had a self-destruct timer that activated automatically 30 days after the initial infection (if the operators decided not to send a command to extend its working time). The basic functionality of the implant includes the following features:<\/p>\n<ul>\n<li>file manipulation (creation, modification, deletion and exfiltration);<\/li>\n<li>manipulations with running processes (getting a list and terminating them);<\/li>\n<li>exfiltration of iOS keychain elements \u2014 which may contain certificates, digital identities, and\/or credentials for various services;<\/li>\n<li>transmission of geolocation data \u2014 including coordinates, altitude, and speed and direction of movement.<\/li>\n<\/ul>\n<p>Also, the implant can load additional modules into the phone\u2019s memory and run them. If you\u2019re interested in the technical details of the implant, you can find them in a <a href=\"https:\/\/securelist.com\/triangledb-triangulation-implant\/110050\/\" target=\"_blank\" rel=\"nofollow noopener\">post on the Securelist blog<\/a> (aimed at cybersecurity experts).<\/p>\n<h2>APT attacks on mobile devices<\/h2>\n<p>Recently, the main target of APT attacks in general has mostly been traditional personal computers. However, modern mobile devices are these days comparable to office PCs in terms of both performance and functionality. They\u2019re used to interact with business-critical information, store both personal and business secrets, and can serve as access keys to work-related services. Therefore, APT groups are putting all the more effort into designing attacks on mobile operating systems.<\/p>\n<p>Of course, Triangulation is not the first attack aimed at iOS devices. Everyone remembers the infamous (and, unfortunately, still ongoing) <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-protect-from-pegasus-spyware\/43453\/\" target=\"_blank\" rel=\"noopener nofollow\">case <\/a>of the commercial spyware Pegasus. There were other examples too, like Insomnia, Predator, Reign, etc. Also, it\u2019s no wonder that APT-groups are interested in the Android OS as well. Not so long-ago news outlets <a href=\"https:\/\/thehackernews.com\/2023\/04\/pakistan-based-transparent-tribe.html\" target=\"_blank\" rel=\"nofollow noopener\">wrote about an attack<\/a> by the \u201cTransparent Tribe\u201d APT group, which used the CapraRAT backdoor against Indian and Pakistani users of this system. And in the third quarter of last year, we <a href=\"https:\/\/securelist.com\/apt-trends-report-q3-2022\/107787\/\" target=\"_blank\" rel=\"noopener\">discovered<\/a> previously unknown spyware targeting Farsi-speaking users.<\/p>\n<p>All this suggests that in order to protect a company from APT attacks these days, it\u2019s necessary to ensure the security of not only stationary equipment \u2014 servers and workstations \u2014 but also of mobile devices used in the work process.<\/p>\n<h2>How to improve your chances against APT attacks on mobiles<\/h2>\n<p>It would be wrong to assume that the default protection technologies provided by device manufacturers are enough to protect mobile devices. The Operation Triangulation case clearly shows that even Apple technologies aren\u2019t perfect. Therefore, we recommend that businesses should always employ a multi-level protection system, which includes convenient tools allowing for mobile device control, plus systems that can monitor their network interactions.<\/p>\n<p>The first line of defense should be an MDM class solution. Our <a href=\"https:\/\/www.kaspersky.com.au\/small-to-medium-business-security?icid=au_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Endpoint Security for Mobile<\/a>, provides centralized management of mobile devices security via Kaspersky Security Center, our administration console. In addition, our solution provides protection against phishing, web threats and malware (for Android only; Apple doesn\u2019t allow third-party antivirus solutions unfortunately).<\/p>\n<p>In particular, it employs <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/wiki-section\/products\/kaspersky-security-network\" target=\"_blank\" rel=\"noopener nofollow\">Cloud ML for Android technology<\/a> to detect Android-related malware. This technology, working in KSN cloud, is based on machine learning methods. Model, trained on millions of known Android malware samples detects even previously unknown malware with high precision.<\/p>\n<p>However, threat actors increasingly use mobile platforms in sophisticated targeted attacks. Therefore, it makes sense to use a system that can monitor network activity \u2014 be it security information and event management (SIEM) or some other tool that can empower your experts to handle complex cybersecurity incidents with unmatched extended detection and response, such as our <a href=\"https:\/\/www.kaspersky.com.au\/enterprise-security\/anti-targeted-attack-platform?icid=au_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Kaspersky Anti Targeted Attack Platform<\/a>. <\/p>\n<p>The abovementioned Operation Triangulation was discovered by our experts while monitoring a corporate Wi-Fi network using our own SIEM system Kaspersky Unified Monitoring and Analysis Platform (KUMA). In addition, our <a href=\"https:\/\/www.kaspersky.com.au\/enterprise-security\/threat-intelligence?icid=au_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Threat Intelligence<\/a> solutions are able to provide security systems and experts with up-to-date information about new threats, as well as about attacker\u2019s techniques, tactics and procedures.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>APT operators are showing increasing interest in mobile devices. Our experts have studied one of their tools. <\/p>\n","protected":false},"author":2706,"featured_media":32152,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,2993],"tags":[499,1250,26,2023,2464],"class_list":{"0":"post-32151","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-apt","10":"tag-ios","11":"tag-iphone","12":"tag-mdm","13":"tag-siem"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/triangledb-mobile-apt\/32151\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/triangledb-mobile-apt\/25842\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/triangledb-mobile-apt\/21283\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/triangledb-mobile-apt\/28540\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/triangledb-mobile-apt\/26141\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/triangledb-mobile-apt\/26468\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/triangledb-mobile-apt\/28946\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/triangledb-mobile-apt\/35612\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/triangledb-mobile-apt\/48471\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/triangledb-mobile-apt\/20761\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/triangledb-mobile-apt\/21469\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/triangledb-mobile-apt\/30279\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/triangledb-mobile-apt\/31835\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/32151","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=32151"}],"version-history":[{"count":0,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/32151\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/32152"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=32151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=32151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=32151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}