In a detailed technical writeup, Kaspersky said the malware contains at least four different modules that allow it to record sounds using the device’s integrated microphone, extract iCloud keychain, steal data from SQLite databases, and even triangulate the device’s location by means of GSM (not GPS).
When GPS data is not available, the module in charge of tracking the victim’s location will use mobile country code (MCC), mobile network code (MNC), and location area code (LAC) to determine the exact location of the device. Whoever built the malware has also gone to great lengths to make sure they’re not spotted. The microphone module, for example, stops working when the victim turns the screen on, or when the battery drops below 10%. The malware also runs a few checks before running, to make sure it’s not installed in a research environment.
Advanced persistent threats
When it comes to the identity of the attackers, so far it’s still a mystery. The campaign is dubbed Operation Triangulation, and while the identity is unknown, Kaspersky described the operators as a “fully-featured advanced persistent threat (APT)”.
APTs are often associated with state, or state-sponsored, threat actors tasked with government or corporate espionage and data theft.
To deploy the malware, the hackers leveraged zero-day vulnerabilities on iOS, tracked as CVE-2023-32434 and CVE-2023-32435. By sending a specially crafted message through the iMessage platform, the attackers could gain full control over both the endpoint and user data, without needing any interaction from the victim.
"The adversary behind Triangulation took great care to avoid detection," the researchers said. "The attackers also showed a great understanding of iOS internals, as they used private undocumented APIs in the course of the attack."
More from TechRadar Pro
- Online scammers target desperate loan seekers using online fraud
- Here's a list of the best firewalls today
- These are the best ID theft protection tools right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.