‘Triangulation’ Malware- New Tool to Find iPhones & iOS Devices Infection

Kaspersky reported earlier this month that they have discovered a new Zero-click iOS exploit currently being exploited by threat actors.

The exploitation involves using iMessage as the delivery channel to gain root privileges. 

Threat actors were using Command and Control (C2) servers to manage and control the compromised iOS devices.

Recent reports suggest that a new tool named “triangle-check” was released, which could scan iTunes backups for traces of IoCs (Indicators of Compromises).

This was released as a pypi project, “triangle-check 1.1”.

Triangle Check

This project is released as a Python script that can scan iTunes backups of iPhones and check for any traces of compromise.

The script has two Python dependencies, colorama, which is used for pretty printing, and pycryptodome.

For using this package, the exact location of the iTunes backup directory is required, which includes many sub-directories and files like “Manifest.db” and “Manifest.plist”. 

For decryption, the password used for encryption is required (If the backup is set up in iTunes). For advanced back creation, the idevicebackup2 tool can be used, which is dependent on the open-source package named “libimobiledevice” 

Scanning

The tool is run on the iTunes backup directory, which is scanned for suspicious activity.

If the tool finds any malicious activity, the tool will print the output as SUSPICION. If the tool finds any Indicators of Compromise (IoC), it will print DETECTED.

Install and Configure

To install this project, the following commands can be used

python -m pip install triangle_check
python -m pip install -r requirements.txt
python triangle_check.py

For installing this as a pip package,

git clone https://github.com/KasperskyLab/triangle_check
cd triangle_check
python -m build
python -m pip install dist/triangle_check-1.0-py3-none-any.whl

Windows or Linux users are recommended to use the binary builds of this project.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus