New Zero-click iOS Malware infects Kaspersky iPhones

The Russian cyber security firm, Kaspersky, found new Zero-click iOS malware on its phones and eventually on many Russian government workers iPhones (mainly diplomats working in Embassies around Europe). They have dubbed this new malware “Triangulation”.

The basic details of the malware are described by Kaspersky as:

The attack is carried out using an invisible iMessage with a malicious attachment, which, using a number of vulnerabilities in the iOS operating system, is executed on the device and installs spyware. The deployment of the spyware is completely hidden and requires no action from the user. Further, the spyware also quietly transmits private information to remote servers: microphone recordings, photos from instant messengers, geolocation and data about a number of other activities of the owner of the infected device.

The attack is carried out as discreetly as possible, however, the fact of infection was detected by Kaspersky Unified Monitoring and Analysis Platform (KUMA), a native SIEM solution for information and event management; the system detected an anomaly in our network coming from Apple devices. Further investigation from our team showed that several dozen iPhones of our employees were infected with a new, extremely technologically sophisticated spyware we dubbed ‘Triangulation.”

A very good write up from ars technica: ars technica article

The important take aways regarding the technical details (and avoiding the obvious international politics):

1. The latest iOS infected was 15.7, so lockdown mode was not in play (lockdown mode debuted in iOS 16). Unknown if the exploit chain was patched in later versions or the iOS version is just coincident with the malware campaign timing.

2. Kaspersky discovered the infections due to suspicious network activity

3. Payload was delivered via iMessage attachment, type of attachment is not discussed

4. Malware was not persistent and was wiped on reboot of the phone - though in one case the target was re-infected within minutes of rebooting their phone

5. Further technical details are due to be released in the coming days and weeks as the forensic analysis continues

6. No word yet on an Android equivalent being used by the same threat actor (historically iPhones have proved easier to do forensics on as the operating system hangs on to more artifacts)

Those are the facts. As for stuff we don’t know for sure yet…

My initial thought goes immediately to Lockdown mode. My speculation is that this likely would have been stopped by Lockdown Mode due to the delivery mechanism being a malicious iMessage attachment. Lockdown Mode blocks iMessage attachments other than images. Pegasus used a malicious PDF to deliver its zero-click exploit package, something similar may have been involved here.

The second thought is how this was discovered, via network activity. Presumably that was the C2 infrastructure talking with infected phones. Could DNS defenses have stopped the infection? Unknown for now but if so it means that is a very effective defense against these zero-day and zero-click attacks. Assuming your DNS filtering could identify in real time malicious or likely-malicious domains either via algorithm or ruleset (blocking newly registered domains as one such rule).

As an example, Pegasus used a complex exploit chain that required the full malware to be uploaded remotely. The initial iMessage attack was just to force the phone to open a malicious url in Safari where the actual malware package was downloaded to the phone. Essentially it was forcing a ‘click’ to the url without user interaction needed. In theory, if those Pegasus domains were blocked at the DNS level it would have prevented infection (most security oriented DNS services like nextDNS and Quad9 now block known NSO associated domains).

This kind of news can be very upsetting and make much of what we do to protect our privacy and security feel futile. However, we are actually far safer now from these kinds of attacks than just a few years ago thanks to hard work from people like Citizen Lab that brought public attention to this threat. These kinds of attacks have always been around and it is only through recent awareness that we can begin to arm ourselves to defend against them through individual awareness/actions. Additionally by making it an issue that affects sales of devices it is driving companies like Apple and Google to further harden their devices/services.

Thanks so much for this excellent write-up and analysis, covers the situation so well!

Really does seem like Lockdown would’ve done a fair amount to help protect against this attack (assuming the exploit itself isn’t already patched in later versions of iOS)

The DNS filtering isn’t something that presents itself as obviously, really nice observation on your end. To be honest I just wanted to comment to have an excuse to thank you for such a great write-up.

Amazing write-up I saw this from @Henry socials. Based purely on what you said I should be good as well.

A theory of mine here is the attachment itself can still be exploitive as long as it’s on the device. So I’m curious if disappearing messages in iMessage would’ve stopped once the attachments were eventually deleted. Just a theory. (Could very much be wrong and the malware could be persistent regardless of attachment) - excited to see the future analysis.

Some takeaways for anyone in an unfortunate enough position to have to worry about this stuff:

• Enable lockdown
• Be very careful with iMessage. Enable disappearing messages, avoid using it, disable contact methods (like being reached via phone), etc. on the more extreme front you can just flat out disable iMessage/FaceTime. Use Signal.
• Reboot phone daily
• Stay up to date
• DNS filters may be a useful tool. If not to prevent data collection in a lucky situation, at least many of them offer analytics and basic traffic analysis that you can use to pick up on suspicious activity

Given the sophistication of these attacks, it’s pretty neat we even have some decent protections for them now!

Thank you for the kind words!

I am very glad to hear my effort post is being well received. Your compliments have made my day.

I’ll continue to monitor for any updates as Kaspersky has promised further technical details to follow. Though they may hold back some details as Citizen lab has in their recent postings to prevent the threat actors from learning how to hide better from reading these public reports.

Thank you both for keeping this thread open and not just for me it’s helping me inform family/friends so I appreciate you both a lot for this. I’m trying to inform them all while keeping it as innocent sounding as possible which I’m sure you can imagine isn’t easy to do lol

We now have the promised updates from Kaspersky and Apple detailed in an article from the Washington Post today.

As we speculated in this thread, Lockdown mode was in fact effective in blocking the Triangulation Malware:

Kaspersky said previously that the attack worked by sending an iMessage with a malicious attachment. Without ever seeing that message, the phone’s user would be infected and the attacker could run code of their choosing. The infection would disappear when users turned their phones off and on again, which experts say consumers should do at regular intervals. Apple’s optional Lockdown Mode also blocked the attacks.

Also confirmed is that the malware was only effective against iOS 15.7 or earlier, with a new patch released by apple for older phones unable to update to iOS 16 that corrects the vulnerabilities exploited by Triangulation.

On Wednesday, Kaspersky gave more detail, saying that the malicious code installed after infection had 24 commands, including extracting passwords from Apple’s Keychain, monitoring locations, and modifying or exporting files.

“As we delved into the attack, we discovered a sophisticated iOS implant that displayed numerous intriguing oddities,” said Kaspersky’s Georgy Kucherin, one of three credited by Apple with discovering the vulnerabilities. Kaspersky dubbed the attack Triangulation, and it and others have released tools to check if devices are infected.

Apple said the fixes would protect iPhones running iOS 15.7 or earlier, which became out of date in September. More recent versions of the operating system had other improvements that made them impervious to the attacks. Apple said 90 percent of customers who bought devices in the past four years have updated to iOS 16, the latest major release.

Kaspersky thanked Apple for working with it to analyze and repair the flaws.

So that pretty much wraps up this story. The only missing details were regarding the suspicious network activity that Kaspersky said tipped them off to the infections to begin with. Unknown still if solutions available to the public like Quad9 or NextDNS would have been able to provide additional levels of protection to this attack or not.

And for those keeping score, this is now two confirmed cases of Lockdown Mode blocking state-level malware attacks against iOS devices. This is especially notable in this case as the alleged attacker was not a private mercenary company like NSO, but instead a national intelligence agency that is likely the best in the world. Assuming of course that alleged attacker is the true culprit.

Thanks so much for following this story and sending over the update! Super neat to see Lockdown do its job.

iMessage is just so complex and insecure that it gives me chills.

Apple should really try to rewrite the code of some parts of their OS to be a lot more secure and simple than that.

According to…? Show us why it’s complex and insecure.

"Silvanovich had assumed that iMessage would be a more scrutinized and locked-down target, but when she started reverse engineering and looking for flaws, she quickly found multiple exploitable bugs.

This may be because iMessage is such a complex platform that offers an array of communication options and features. It encompasses Animojis, rendering files like photos and videos, and integration with other apps—everything from Apple Pay and iTunes to Fandango and Airbnb. All of these extensions and interconnections increase the likelihood of mistakes and weaknesses."

Thanks for sending along!

In a way, Lockdown mode kinda of does this. It disables many features native to iOS (especially iMessage functionality) in order to reduce the surface area of attack.

This kind of leaves me with the idea of how operational security can involve both and behavioral modifications, as i like how user patterns trip “suspicious activity”…

I don’t know. It’s all speculation on my end. But I have seen several articles about initial Flags being caught and initial potential exploits being observed, by patterns & frequency of use.To me that resounds a little bit of unappreciated operational security in the form of behavioral modification, environmental awareness , Etc…

This kind of sounds like the stuff I read about Pegasus and its derivatives