The TriangleDB implant used to target Apple iOS devices packs in at least four different modules to record microphone, extract iCloud Keychain, steal data from SQLite databases used by various apps, and estimate the victim's location.
用于目标Apple iOS设备的TriangleDB植入物至少包含四个不同的模块,用于记录麦克风、提取iCloud Keychain、窃取各种应用程序使用的SQLite数据库中的数据以及估算受害者的位置。
The findings come from Kaspersky, which detailed the great lengths the adversary behind the campaign, dubbed Operation Triangulation, went to conceal and cover up its tracks while clandestinely hoovering sensitive information from the compromised devices.
这些发现来自卡巴斯基,详细描述了该活动背后的对手,被称为“三角定位行动”,在秘密地从受感染的设备中获取敏感信息时采取了众多掩盖踪迹的方法。
The sophisticated attack first came to light in June 2023, when it emerged that iOS have been targeted by a zero-click exploit weaponizing then zero-day security flaws (CVE-2023-32434 and CVE-2023-32435) that leverages the iMessage platform to deliver a malicious attachment that can gain complete control over the device and user data.
这次复杂的攻击首次曝光是在2023年6月,当时iOS受到了一个零点击攻击的目标,该攻击武器化了零日安全漏洞(CVE-2023-32434和CVE-2023-32435),利用iMessage平台传递恶意附件,可以完全控制设备和用户数据。
The scale and the identity of the threat actor is presently unknown, although Kaspersky itself became one of the targets at the start of the year, prompting it to investigate the various components of what it said in a fully-featured advanced persistent threat (APT) platform.
威胁行为者的规模和身份目前尚不清楚,尽管卡巴斯基自己在年初成为攻击目标之一,促使它调查了该攻击的各个组件,称之为一个全面的高级持久性威胁(APT)平台。
The core of the attack framework constitutes a backdoor called TriangleDB that's deployed after the attackers obtain root privileges on the target iOS device by exploiting CVE-2023-32434, a kernel vulnerability that could be abused to execute arbitrary code.
攻击框架的核心构成部分是一个名为TriangleDB的后门,在攻击者利用CVE-2023-32434(一个可被滥用以执行任意代码的内核漏洞)获得目标iOS设备的root权限之后部署。
Now, according to the Russian cybersecurity company, the deployment of the implant is preceded by two validator stages, namely JavaScript Validator and Binary Validator, that are executed to determine if the target device is not associated with a research environment.
根据俄罗斯网络安全公司的说法,植入物的部署之前经历了两个验证器阶段,分别是JavaScript验证器和二进制验证器,用于确定目标设备是否与研究环境无关。
"These validators collect various information about the victim device and send it to the C2 server," Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Valentin Pashkov said in a technical report published Monday.
卡巴斯基的研究人员Georgy Kucherin、Leonid Bezvershenko和Valentin Pashkov在一份周一发布的技术报告中表示:“这些验证器收集有关受害者设备的各种信息,并将其发送到C2服务器。
"This information is then used to assess if the iPhone or iPad to be implanted with TriangleDB could be a research device. By performing such checks, attackers can make sure that their zero-day exploits and the implant do not get burned."
然后,这些信息用于评估iPhone或iPad是否可以植入TriangleDB,以确定它们是否可能是研究设备。通过进行此类检查,攻击者可以确保其零日漏洞利用和植入物不被发现。”
By way of background: The starting point of the attack chain is an invisible iMessage attachment that a victim receives, which triggers a zero-click exploit chain designed to stealthily open a unique URL containing obfuscated JavaScript as well as an encrypted payload.
背景信息:攻击链的起点是一个受害者接收的不可见的iMessage附件,触发了一个零点击攻击链,旨在秘密打开一个包含混淆JavaScript和加密有效载荷的唯一URL。
The payload is the JavaScript validator that, besides conducting various arithmetic operations and checking for the presence of Media Source API and WebAssembly, performs a browser fingerprinting technique called canvas fingerprinting by drawing a yellow triangle on a pink background with WebGL and calculating its checksum.
有效载荷是JavaScript验证器,除了进行各种算术操作和检查媒体源API和WebAssembly的存在之外,还执行了一种称为“画布指纹”的浏览器指纹技术,通过在粉红色背景上绘制一个黄色三角形并计算其校验和来进行。
The information collected following this step is transmitted to a remote server in order to receive, in return, an unknown next-stage malware. Also delivered after a series of undetermined steps is a Binary Validator, a Mach-O binary file that carries out the below operations -
在这一步之后收集的信息被传输到远程服务器,以获取一个未知的下一阶段恶意软件。此外,还经过一系列未确定的步骤传递了一个二进制验证器,这是一个执行以下操作的Mach-O二进制文件:
- Remove crash logs from the /private/var/mobile/Library/Logs/CrashReporter directory to erase traces of possible exploitation从/private/var/mobile/Library/Logs/CrashReporter目录中删除崩溃日志,以抹消可能滥用的痕迹
- Delete evidence of the malicious iMessage attachment sent from 36 different attacker-controlled Gmail, Outlook, and Yahoo email addresses
删除36个不同的攻击者控制的Gmail、Outlook和Yahoo邮箱地址发送的恶意iMessage附件的证据 - Obtain a list of processes running on the device and the network interfaces
获取设备上运行的进程列表和网络接口 - Check if the target device is jailbroken
检查目标设备是否越狱 - Turn on personalized ad tracking
打开个性化广告跟踪 - Gather information about the device (username, phone number, IMEI, and Apple ID), and
收集有关设备的信息(用户名、电话号码、IMEI和Apple ID) -
Retrieve a list of installed apps
检索已安装应用程序的列表
"What is interesting about these actions is that the validator implements them both for iOS and macOS systems," the researchers said, adding the results of the aforementioned actions are encrypted and exfiltrated to a command-and-control (C2) server to fetch the TriangleDB implant.
“有趣的是,验证器为iOS和macOS系统都执行了这些操作,”研究人员表示,上述操作的结果被加密并被外传到一个命令和控制(C2)服务器以获取TriangleDB植入物。
One of the very first steps taken by the backdoor is to establish communication with the C2 server and send a heartbeat, subsequently receiving commands that delete crash log and database files to cover up the forensic trail and hamper analysis.
后门采取的第一步之一是与C2服务器建立通信并发送心跳,随后接收命令来删除崩溃日志和数据库文件,以掩盖法医调查的痕迹并阻碍分析。
Also issued to the implant are instructions to periodically exfiltrate files from the /private/var/tmp directory that contain location, iCloud Keychain, SQL-related, and microphone-recorded data.
植入物还收到了定期外传来自/private/var/tmp目录的文件的指令,这些文件包含位置、iCloud Keychain、与SQL相关的数据和麦克风录制的数据。
A notable feature of the microphone-recording module is its ability to suspend recording when the device screen is turned on, indicating the threat actor's intention to fly under the radar.
麦克风录音模块的一个显著特点是,当设备屏幕亮起时,它可以暂停录音,表明威胁行为者有意保持低调。
What's more, the location-monitoring module is orchestrated to use GSM data, such as mobile country code (MCC), mobile network code (MNC), and location area code (LAC), to triangulate the victim's location when GPS data is not available.
此外,位置监控模块被设计为在GPS数据不可用时使用GSM数据,例如移动国家代码(MCC)、移动网络代码(MNC)和位置区域代码(LAC)来三角定位受害者的位置。
"The adversary behind Triangulation took great care to avoid detection," the researchers said. "The attackers also showed a great understanding of iOS internals, as they used private undocumented APIs in the course of the attack."
研究人员表示:“Triangulation背后的对手非常小心,他们还对iOS的内部有很深的了解,因为在攻击过程中他们使用了私有的未记录API。”
原文始发于微信公众号(知机安全):iOS零日攻击:专家揭示对三角定位行动的更深入见解
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论