C0054 Operation Triangulation
Operation Triangulation is a mobile campaign targeting iOS devices.1 The unidentified actors used zero-click exploits in iMessage attachments to gain Initial Access, then executed exploits and validators, such as Binary Validator before finally executing the TriangleDB implant.
| Item | Value |
|---|---|
| ID | C0054 |
| Associated Names | |
| First Seen | January 2019 |
| Last Seen | June 2023 |
| Version | 1.0 |
| Created | 28 March 2025 |
| Last Modified | 28 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1437 | Application Layer Protocol | During Operation Triangulation, the threat actors used HTTPS POST requests for C2 communication.2 |
| mobile | T1429 | Audio Capture | During Operation Triangulation, the threat actors used a microphone-recording module.3 |
| mobile | T1634 | Credentials from Password Store | - |
| mobile | T1634.001 | Keychain | During Operation Triangulation, the threat actors have dumped the device’s keychain.23 |
| mobile | T1533 | Data from Local System | During Operation Triangulation, the threat actors stole data from SQLite databases.3 |
| mobile | T1521 | Encrypted Channel | - |
| mobile | T1521.001 | Symmetric Cryptography | During Operation Triangulation, the threat actors used 3DES and AES to encrypt C2 communication and data.23 |
| mobile | T1521.002 | Asymmetric Cryptography | During Operation Triangulation, the threat actors used RSA to encrypt C2 communication.2 |
| mobile | T1658 | Exploitation for Client Execution | During Operation Triangulation, the threat actors sent iMessage messages with malicious exploits that executed without user interaction.134 Additionally, the threat actors have used various exploits, such as CVE-2023-41990, CVE-2023-32435, CVE-2023-32434 and CVE-2023-38606, to obtain privilege escalation.4 |
| mobile | T1404 | Exploitation for Privilege Escalation | During Operation Triangulation, the threat actors exploited a kernel vulnerability to obtain root privileges.2 |
| mobile | T1420 | File and Directory Discovery | During Operation Triangulation, the threat actors have obtained a list of files in a specified directory using the fts API.2 |
| mobile | T1630 | Indicator Removal on Host | During Operation Triangulation, the threat actors deleted the initial exploitation message and exploit attachment.1 |
| mobile | T1630.002 | File Deletion | During Operation Triangulation, the threat actors removed files from the device.2 |
| mobile | T1544 | Ingress Tool Transfer | During Operation Triangulation, the threat actors downloaded subsequent stages from the C2.12 |
| mobile | T1430 | Location Tracking | During Operation Triangulation, the threat actors monitored the device’s geolocation.23 |
| mobile | T1575 | Native API | During Operation Triangulation, the threat actors use the Audio Queue API to record audio.34 |
| mobile | T1424 | Process Discovery | During Operation Triangulation, the threat actors have obtained a list of processes.2 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.004 | SMS Messages | During Operation Triangulation, the threat actors have collected and exfiltrated SMS messages.3 |
| mobile | T1418 | Software Discovery | During Operation Triangulation, the threat actors have obtained a list of installed applications.2 |
| mobile | T1409 | Stored Application Data | During Operation Triangulation, the threat actors have collected and exfiltrated data from WhatsApp and Telegram.3 |
| mobile | T1426 | System Information Discovery | During Operation Triangulation, the threat actors collected device and user information.1 |
| mobile | T1422 | System Network Configuration Discovery | During Operation Triangulation, the threat actors use the heartbeat beacons from the implant to obtain device information, such as the IMEI, MEID, and the serial number.2 |
Software
| ID | Name | Description |
|---|---|---|
| S1215 | Binary Validator | 3 |
References
-
Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024. ↩↩↩↩↩
-
Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024. ↩↩↩↩↩↩↩↩↩↩
-
Larin, B. (2023, December 27). Operation Triangulation: The last (hardware) mystery. Retrieved April 18, 2024. ↩↩↩