Cybersecurity firm Kaspersky has released a tool to detect if Apple iPhones and other iOS devices are infected with a new ‘Triangulation’ malware.
This malware was discovered by Kaspersky on its own network, reporting that it has infected multiple iOS devices across its premises worldwide since at least 2019.
Although the malware analysis is still underway, the cybersecurity firm noted that the ‘Operation Triangulation’ malware campaign uses an unknown zero-day exploit on iMessage to perform code execution without user interaction and elevated privileges.
This allows the attack to download further payloads to the device for further command execution and information collection.
It should also be noted that the FSB, Russia’s intelligence and security service, linked the malware to infections of high-ranking government officials and foreign diplomats.
In the original report, Kaspersky provided quite a few details on manually checking iOS device backups for possible indicators of compromise by this unknown malware using the Mobile Verification Toolkit (MVT).
After that, use this command to launch the tool: python -m triangle_check path to the created backup.
Windows binary:
The Windows binary is available through Kaspersky’s public GitHub repository. To use it, follow these instructions:
Download the triangle_check_win.zip archive from the GitHub releases page and unpack it.
Launch the command prompt (cmd.exe) or PowerShell.
Change your directory to the one with the unpacked archive (e.g., cd %userprofile%\Downloads\triangle_check_win).
Launch triangle_check.exe, specifying the path to the backup as an argument (e.g., triangle_check.exe “%appdata%\Apple Computer\MobileSync\Backup\00008101-000824411441001E-20230530-143718”).
Linux binary:
The Linux binary is available through Kaspersky’s public GitHub repository. To use it, follow these instructions:
Download the triangle_check_win.zip archive from the GitHub releases page and unpack it.
Launch the terminal.
Change your directory to the one with the unpacked archive (e.g., cd ~/Downloads/triangle_check_linux).
Allow the utility to be executed with the “chmod +x triangle_check” command.
Launch the utility, specifying the path to the backup as an argument (e.g., ./triangle_check ~/Desktop/my_backup/00008101-000824411441001E-20230530-143718).
When launched and pointed to the iOS backup path, the triangle_check tool will output one of the following scan results:
DETECTED: It means that the “Operation Triangulation” malware has infected the device beyond doubt.
SUSPICION: The scanner has found some indicators of compromise pointing to a likely infection, but there’s not enough evidence to support a conclusive result.
No traces of compromise were identified: The scanner has not detected any signs of compromise for the particular malware family.
Note that the above results, especially the negative ones, may not be fully trusted or treated as definitive assurances that the device is clean.
As the malware’s analysis is ongoing, additional indicators of compromise or even a newer variant that infects more recent iOS releases may be discovered later.
A targeted malware campaign
Typically, espionage-driven malware distribution campaigns like “Operation Triangulation” target specific individuals or companies rather than the wider population, so most people using the checker should get a clean result.
However, Kaspersky’s tool could be handy for people holding critical roles in important organizations, individuals at heightened risk of state-sponsored espionage, and those working in companies or services that act as information hubs.
Currently, the exact origin of the malware and the orchestrators of Operation Triangulation remain unknown; hence, the targeting scope and victimology have not been determined.