By performing such checks, attackers can make sure that their 0-day exploits and the implant do not get burned. This information is then used to assess if the iPhone or iPad to be implanted with TriangleDB could be a research device. These validators collect various information about the victim device and send it to the C2 server.
In more detail, the infection chain can be summarized with the following graph:Īpart from the exploits and components of the TriangleDB implant, the infection chain contains two “validator” stages, namely “JavaScript Validator” and “Binary Validator”. In our previous blogposts, we outlined the Operation Triangulation infection chain: a device receives a malicious iMessage attachment that launches a chain of exploits, and their execution ultimately results in the launch of the TriangleDB implant. Along the way, we will also reveal more information about the components used in this attack. This article details one important aspect of this attack – the stealth that was exercised by the threat actor behind it. We also mentioned that this operation was quite stealthy. We mentioned, among other things, that it is able to execute additional modules. In our previous blogpost on Triangulation, we discussed the details of TriangleDB, the main implant used in this campaign, its C2 protocol and the commands it can receive.
