The code within the exploit downloads several subsequent stages from the C&C server, that include additional exploits for privilege escalation. Without any user interaction, the message triggers a vulnerability that leads to code execution.The target iOS device receives a message via the iMessage service, with an attachment containing an exploit.This allowed to move the research forward, and to reconstruct the general infection sequence: Using this timeline, we were able to identify specific artifacts that indicate the compromise. The mvt-ios utility produces a sorted timeline of events into a file called “timeline.csv”, similar to a super-timeline used by conventional digital forensic tools. The timestamps of the files, folders and the database records allow to roughly reconstruct the events happening to the device. Mobile device backups contain a partial copy of the filesystem, including some of the user data and service databases. If you have any additional details to share, please contact us:. We are calling this campaign “Operation Triangulation”, and all the related information we have on it will be collected on the Operation Triangulation page. Since it is impossible to inspect modern iOS devices from the inside, we created offline backups of the devices in question, inspected them using the Mobile Verification Toolkit’s mvt-ios and discovered traces of compromise. While monitoring the network traffic of our own corporate Wi-Fi network dedicated for mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), we noticed suspicious activity that originated from several iOS-based phones.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |