Cybersecurity firm Kaspersky disclosed details of a sophisticated Advanced Persistent Threat (APT) campaign aimed at iOS devices after initially reporting this attack in early June. The company's researchers report that they uncovered further insights into the operation of the spyware implant known as TriangleDB. By exploiting a kernel vulnerability, the implant gains root privileges on the targeted iOS devices, operating exclusively in device memory to conceal its presence. Restarting the device erases any traces of the infection, necessitating a reinfection process via a malicious iMessage attachment. TriangleDB, a multifaceted spyware, carries out extensive data collection and monitoring functions.
Kaspersky says that the implant consists of 24 commands with diverse functionalities, including interacting with the device's file system, managing processes, extracting keychain items, and monitoring geolocation.
At the same time, Apple has issued patches for two zero-day vulnerabilities. It is worth noting that these vulnerabilities have not been observed to impact devices running iOS versions newer than 15.7.
Russia's computer security agency attributed the spyware campaign to the USA. Kaspersky's researchers said that they continue further analysis of this spyware campaign.