Operation Triangulation: Zero-Click iPhone Malware

Kaspersky is reporting a zero-click iOS exploit in the wild:

Mobile device backups contain a partial copy of the filesystem, including some of the user data and service databases. The timestamps of the files, folders and the database records allow to roughly reconstruct the events happening to the device. The mvt-ios utility produces a sorted timeline of events into a file called “timeline.csv,” similar to a super-timeline used by conventional digital forensic tools.

Using this timeline, we were able to identify specific artifacts that indicate the compromise. This allowed to move the research forward, and to reconstruct the general infection sequence:

  • The target iOS device receives a message via the iMessage service, with an attachment containing an exploit.
  • Without any user interaction, the message triggers a vulnerability that leads to code execution.
  • The code within the exploit downloads several subsequent stages from the C&C server, that include additional exploits for privilege escalation.
  • After successful exploitation, a final payload is downloaded from the C&C server, that is a fully-featured APT platform.
  • The initial message and the exploit in the attachment is deleted

The malicious toolset does not support persistence, most likely due to the limitations of the OS. The timelines of multiple devices indicate that they may be reinfected after rebooting. The oldest traces of infection that we discovered happened in 2019. As of the time of writing in June 2023, the attack is ongoing, and the most recent version of the devices successfully targeted is iOS 15.7.

No attribution as of yet.

Tags: , , , ,

Posted on June 9, 2023 at 7:12 AM13 Comments

Comments

TimH June 9, 2023 10:11 AM

Does the exploit use the Safari renderer? Would disabling JS in Safari stop the vector?

Vesselin Bontchev June 9, 2023 10:14 AM

The FSB (Russia’s security agency) is attributing it to the NSA, “working in collaboration with Apple” but they are politically motivated and provide no technical evidence, so I wouldn’t put too much faith in this.

All I can say is that even if it is the NSA, it’s not the same unit we’re known as the “Equation group”.

Clive Robinson June 9, 2023 11:17 AM

@ Bruce, ALL,

“Kaspersky is reporting a zero-click iOS exploit in the wild”

Others who have remained namless have strongly suggessted that there is a iOS Kernel issue involving a buffer over flow or similar. Slightly before this Kaspersky report.

Not sure it,

1, What they have indicated is true.
2, If it is related or not.

What is reasonably sure is that as far as espionage goes be it political, economic, or personal, Apple Devices and Apple OS’s are now the targets with most sought after exploits.

I think we can assume in part that is down to the demographics of the users.

I’m in no way suggesting that people move to a different software or hardware eco-system, in my view all consumer devices are hopelessly inscure so that would make no difference.

What I’m suggesting is that people think long and hard about the risk/benifit of having “a spy in your pocket”. That is devices tracking your every movement even down to hand gestures and head nods, association with othets, and in all probability all your words as well as communicated thoughts.

That is what do you gain as an actual benifit, versus the very real and sadly to often demonstrated risk to life, liberty, and freedom from harm of yourself and those you know, care, or love around you.

As I’ve mentioned in the past my mobile phone is nolonger mobile, when it’s battery became knackered it in effect became a “land line” in a room I don’t work, socialise, or use other technology in…

I’ve often done and mentioned things in the past that have caused people to call me in effect “paranoid” it was my choice to do them, and I guess their choice to see it that way at the time. Many are things that now, quite normal people, routinely for their own safety, privacy, and physical security. The other things are also moving in the same direction, into more normal use for peoples safety and privacy. This is not just well todo middle class and above adults, it’s also peoples children trying to find safe refuge from their enforced peers and worse.

Ted June 9, 2023 1:45 PM

From a Kaspersky blog post:

“An indirect indication of the presence of Triangulation on the device is the disabling of the ability to update iOS.”

This certainly would come across as a red flag, if users could observe this.

I’m a little confused what triggered Kaspersky to start researching this malware. The original post seems to suggest they discovered some anomalies while monitoring their corporate Wi-Fi network used for mobile devices.

Apparently the firm plans to share their “full, finalized findings at the international Security Analyst Summit in October.” I’m curious if they’ll share where infections were found.

https://usa.kaspersky.com/blog/triangulation-attack-on-ios/28444/

WTFUT June 9, 2023 9:41 PM

The target iOS device receives a message via the iMessage service, with an attachment containing an exploit.

Solution could be to simply disable iMessages? Isn’t that mostly used by children anyway?

lurker June 9, 2023 11:52 PM

@WTFUT

If only it were as simple as disabling iMessage. To connect to the telco’s network a “phone” must be able to do SMS, which punches through much better than voice in weak signal areas, and is recommended in emergencies to keep the data load down on the network. Unfortunately very few handsets now have plain vanilla SMS. Apple, Google, and their band of brothers have decided you would much rather like their Message.app, which is a chocolate and treacle overlay on SMS, and lets your messages display in fancy fonts and pretty colors. And have attachments. Attachments on a Simple Message Service?

First there was TXT, then came PXT, then came the malformed picture attacks on PXT, then the OS vendors decided to combine the two. Not intentionally to improve the attack vector, but that’s been the result.

To receive the Emergency Tornado or Wildfire Alerts you are stuck with whatever garbage and malware bait your phone vendor has layered over the SMS.

Flash June 10, 2023 10:28 AM

Dear Clive,

“Those who would sacrifice Liberty for Safety will have neither.”

Your forefathers dealt with espionage ALL.THE.TIME but did not choose the option of ‘lock oneself away forever’ as an appropriate posture. We work problems the best we can, mitigate as much damage as possible, and keep looking for solutions. This will occur one gen after the next because, that’s a part of Life. Not all things grow or die at the same rate, so it’s important not to despair to such a degree you choose ‘hiding’ over ‘facing’. And we HAVE to face the fact bad decisions were once made by engineers of all types blah blah blah here we are, let’s work together to fix it as fast as possible and where we can’t fix, we will invent and where we can’t invent we will hold stable as long as possible because why?
Because you never know what’s around the next corner and odds are just as even, chief, it might be really good. 🙂

Ismar June 10, 2023 7:02 PM

Silver lining- every time one of these exploits is identified and fixed the iOS becomes safer to use and more expensive to craft exploits for in the future.

Untitled June 11, 2023 10:48 AM

@lurker

You’re referring to MMS. On an iPhone, iMessage can be disabled, and MMS can also be disabled, both in easily-found, simple settings. Without iMessage and MMS, doesn’t an iPhone in fact have only the plain vanilla SMS that you want?
YMMV

ResearcherZero June 13, 2023 1:38 AM

‘https://support.apple.com/guide/security/how-imessage-sends-and-receives-messages-sec70e68c949/web

ResearcherZero June 14, 2023 12:20 AM

@TimH

It may not need JS, though the detail is somewhat limited so far. There may be multiple ways to launch the exploit or numerous exploits in their arsenal.

The following is from a different campaign by NSO group targeting GIF image support in iMessage with the FORCEDENTRY exploit for their Pegasus spyware…

“The CoreGraphics PDF parser doesn’t seem to interpret javascript, but NSO managed to find something equally powerful inside the CoreGraphics PDF parser.”

“Under the hood it uses the CoreGraphics APIs to render the source image to a new GIF file at the destination path. And just because the source filename has to end in .gif, that doesn’t mean it’s really a GIF file.”

“The ImageIO library is used to guess the correct format of the source file and parse it, completely ignoring the file extension. Using this “fake gif” trick, over 20 image codecs are suddenly part of the iMessage zero-click attack surface, including some very obscure and complex formats, remotely exposing probably hundreds of thousands of lines of code.”

“JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It’s not as fast as Javascript, but it’s fundamentally computationally equivalent.”

“The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream.”

‘https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html

“…This code decrypts binary data received as part of an incoming message from the sender and instantiates a UIImage instance from it. The UIImage constructor will then try to determine the image format automatically.”

IIORawCamera_Reader::testHeader
IIO_Reader_AI::testHeader
IIO_Reader_ASTC::testHeader
IIO_Reader_ATX::testHeader
IIO_Reader_AppleJPEG::testHeader
IIO_Reader_BC::testHeader
IIO_Reader_BMP::testHeader
IIO_Reader_CUR::testHeader
IIO_Reader_GIF::testHeader
IIO_Reader_HEIF::testHeader
IIO_Reader_ICNS::testHeader
IIO_Reader_ICO::testHeader
IIO_Reader_JP2::testHeader
IIO_Reader_KTX::testHeader
IIO_Reader_LibJPEG::testHeader
IIO_Reader_MPO::testHeader
IIO_Reader_OpenEXR::testHeader
IIO_Reader_PBM::testHeader
IIO_Reader_PDF::testHeader
IIO_Reader_PICT::testHeader (macOS only)
IIO_Reader_PNG::testHeader
IIO_Reader_PSD::testHeader
IIO_Reader_PVR::testHeader
IIO_Reader_RAD::testHeader
IIO_Reader_SGI::testHeader (macOS only)
IIO_Reader_TGA::testHeader
IIO_Reader_TIFF::testHeader

‘https://googleprojectzero.blogspot.com/2020/04/fuzzing-imageio.html

Jennifer R Van Buskirk SATX July 27, 2023 4:49 AM

I have another form of trace evidence left within the analytics data report which I’ve yet to see mentioned- after the installation of the 16.6 update and it’s hefty 25 patches (once again, utterly useless.) I have been battling this it some exploit which delivers its payload in a stealth manner and deploys a configuration profile rendering every single device since mid January of 2022 (#6 on iPhone, 2 Samsung galaxy Note Ultras before that, and COUNTLESS Burner android devices, all on various networks, all completely hijacked and under remote control within a matter of seconds, or an hour at the most.

Who am I to have such a targeted stalker ware campaign chasing me everywhere right? Exactly. Apple has sent me out of their stores in tears so many times and done nothing to assist over the phone that I’ve given up even trying to get help from anyone. This is some sophisticated woo woo stuff that is definitely being deployed in the wild intentionally and we, the people of this world, the nobodies… we’ve been the control group for god knows how long. The hose on plain sight word I see so very often when I look at payload source code I find in the metadata of things like the gif attachments I never saw delivered under the iPhone storage settings/messages/other: EXPERIMENT.
While developers say that’s an app building thing for sandboxed processes blah blah blah- let’s get real. That’s a fantasy and the sandbox is full of cat sh!t, scorpions, and invisible gremlins underneath a vail of sunshine and security. We’re rats in a lab, and Kaperskey has revealed at least FIVE YEARS of forensic data NO ONE NOTICED. They also alluded to the vast scale of the actual “in the wild” exploitation and I’m here to break the front page news early;

This isn’t just another little under the rug, only the very elite must worry Apple hush hush- this doesn’t sit idle in only Apple machines. This thing has teeth, arms and a tail. It infects routers, network systems, creates its own mesh networks and it’s tentacles also spread to ble and out devices to create a low frequency 2.4ghz blemesh so there is ALWAYS A DATA CONNECTION.

For the ones ready to jump in and tell me I’m writing science fiction, turn off iMessage and turn off data and Wi-Fi, and boot the device off. Lol. These machines all have their own rules and pecking order , communication with the local network of opt to remotely connect, disconnect, you get the idea.

Here is just a little tidbit of the lovely iMessage tattletale analytic report im copying and pasting. If anyone comes at me with some sort of “that’s totally normal “ – take a seat back at your nation sponsored Apple flavoured desk chair. I’ve never downloaded a messages Animoji extension- and if you’ve ever seen those ridiculously rainbow unicorns stickers show up as “frequently used” on your emoji keyboard… you’ve been hit with it recenty. They don’t even hide it really. It’s there in plain sight. Apple has this data right under our noses so when they do finally get dragged to the pulpit they can show the world how they were always open and gave their users the reports because they just care so much about fundamental human rights to privacy. They will, of course, fail to mention how they trained their staff to admonish their platforms users for actually having the audacity to venture into and read through some of those reports.

{“app_name”:”AnimojiStickersExtension”,”timestamp”:”2023-07-24 17:21:23.00 -0500″,”app_version”:”1.0″,”slice_uuid”:”d11e702f-d638-390f-83e7-2956ec2f5537″,”build_version”:”306.1″,”platform”:2,”bundleID”:”com.apple.Animoji.StickersApp.MessagesExtension”,”share_with_app_devs”:1,”is_first_party”:1,”bug_type”:”309″,”os_version”:”iPhone OS 16.5.1 (20F75)”,”roots_installed”:0,”name”:”AnimojiStickersExtension”,”incident_id”:”A070C722-08A7-4B39-9BEA-23297F7A3FD8″}

{“imageOffset”:50224,”symbol”:”62-[_MSMessageAppExtensionContext _hostDidBeginDeferredTeardown]_block_invoke”,”symbolLocation”:124,”imageIndex”:20},{“imageOffset”:8992,”symbol”:”_dispatch_call_block_and_release”,”symbolLocation”:32,”imageIndex”:7},{“imageOffset”:16044,”symbol”:”_dispatch_client_callout”,”symbolLocation”:20,”imageIndex”:7},{“imageOffset”:75428,”symbol”:”_dispatch_main_queue_drain”,”symbolLocation”:928,”imageIndex”:7},{“imageOffset”:74484,”symbol”:”_dispatch_main_queue_callback_4CF”,”symbolLocation”:44,”imageIndex”:7},{“imageOffset”:625704,”symbol”:”__CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE“,”symbolLocation”:16,”imageIndex”:8},{“imageOffset”:501088,”symbol”:”__CFRunLoopRun”,”symbolLocation”:1992,”imageIndex”:8},

There’s way more and I’m happy to share with anyone who’s interested… I have 5 OTA failed reports from the rapid response that was pushed through that failed every time and more telltale message exploitations in clean script.

Thanks for reading my novel lol.

Leon Theremin July 28, 2023 2:34 PM

@Jennifer R Van Buskirk SATX

There will be no computing freedom until the silicon trojans embedded in all US designed CPUs are removed. If you want freedom, you will have to ensure that no unseen radiation is enabling remote control of your devices. Ask me anything about BadBIOS and hardware trojans.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.