Operation Triangulation
Operation Triangulation is a mobile campaign targeting iOS devices.[1] The unidentified actors used zero-click exploits in iMessage attachments to gain Initial Access, then executed exploits and validators, such as Binary Validator before finally executing the TriangleDB implant.
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1437 | Application Layer Protocol |
During Operation Triangulation, the threat actors used HTTPS POST requests for C2 communication.[2] |
|
| Mobile | T1429 | Audio Capture |
During Operation Triangulation, the threat actors used a microphone-recording module.[3] |
|
| Mobile | T1634 | .001 | Credentials from Password Store: Keychain |
During Operation Triangulation, the threat actors have dumped the device’s keychain.[2][3] |
| Mobile | T1533 | Data from Local System |
During Operation Triangulation, the threat actors stole data from SQLite databases.[3] |
|
| Mobile | T1521 | .001 | Encrypted Channel: Symmetric Cryptography |
During Operation Triangulation, the threat actors used 3DES and AES to encrypt C2 communication and data.[2][3] |
| .002 | Encrypted Channel: Asymmetric Cryptography |
During Operation Triangulation, the threat actors used RSA to encrypt C2 communication.[2] |
||
| Mobile | T1658 | Exploitation for Client Execution |
During Operation Triangulation, the threat actors sent iMessage messages with malicious exploits that executed without user interaction.[1][3][4] Additionally, the threat actors have used various exploits, such as CVE-2023-41990, CVE-2023-32435, CVE-2023-32434 and CVE-2023-38606, to obtain privilege escalation.[4] |
|
| Mobile | T1404 | Exploitation for Privilege Escalation |
During Operation Triangulation, the threat actors exploited a kernel vulnerability to obtain root privileges.[2] |
|
| Mobile | T1420 | File and Directory Discovery |
During Operation Triangulation, the threat actors have obtained a list of files in a specified directory using the |
|
| Mobile | T1630 | Indicator Removal on Host |
During Operation Triangulation, the threat actors deleted the initial exploitation message and exploit attachment.[1] |
|
| .002 | File Deletion |
During Operation Triangulation, the threat actors removed files from the device.[2] |
||
| Mobile | T1544 | Ingress Tool Transfer |
During Operation Triangulation, the threat actors downloaded subsequent stages from the C2.[1][2] |
|
| Mobile | T1430 | Location Tracking |
During Operation Triangulation, the threat actors monitored the device’s geolocation.[2][3] |
|
| Mobile | T1575 | Native API |
During Operation Triangulation, the threat actors use the Audio Queue API to record audio.[3][4] |
|
| Mobile | T1424 | Process Discovery |
During Operation Triangulation, the threat actors have obtained a list of processes.[2] |
|
| Mobile | T1636 | .004 | Protected User Data: SMS Messages |
During Operation Triangulation, the threat actors have collected and exfiltrated SMS messages.[3] |
| Mobile | T1418 | Software Discovery |
During Operation Triangulation, the threat actors have obtained a list of installed applications.[2] |
|
| Mobile | T1409 | Stored Application Data |
During Operation Triangulation, the threat actors have collected and exfiltrated data from WhatsApp and Telegram.[3] |
|
| Mobile | T1426 | System Information Discovery |
During Operation Triangulation, the threat actors collected device and user information.[1] |
|
| Mobile | T1422 | System Network Configuration Discovery |
During Operation Triangulation, the threat actors use the heartbeat beacons from the implant to obtain device information, such as the IMEI, MEID, and the serial number.[2] |
|
Software
| ID | Name | Description |
|---|---|---|
| S1215 | Binary Validator | |
| S1216 | TriangleDB |