Cybersecurity firm Kaspersky has released a tool to detect whether Apple iPhones and other iOS devices are infected with new “triangulation” malware.

This malware was discovered by Kaspersky on its own network, reporting that it has infected multiple iOS devices on its premises worldwide since at least 2019.

Although malware analysis is still ongoing, the cybersecurity firm noted that the “Operation Triangulation” malware campaign uses an unknown zero-day exploit on iMessage to perform code execution without user interaction. user and without elevated privileges.

This allows the attack to download other payloads to the device for further command execution and information gathering.

It should also be noted that the FSB, the Russian intelligence and security service, related malware to infections of senior officials and foreign diplomats.

In the original reportKaspersky has provided extensive details on manually checking iOS device backups for possible indicators of compromise by this unknown malware using the Mobile Verification Toolkit (MVT).

However, the security company has now released an easier to use tool, automated triangulation scanner for Windows and Linux.

The Triangle iOS Scanner

iOS can only be scanned as a backup, as Apple’s various security mechanisms (sandboxing, data encryption, code signing) prevent live system scanning.

So, users should backup their iOS devices first by following these steps according to their operating system:

The Windows:

1. Connect your device to a computer where iTunes is installed. Unlock your device and, if necessary, confirm that you trust your computer.
2. Your device should now be displayed in iTunes. Right-click on it and press “Save”.
3. The backup created will be saved in the %appdata%\Apple Computer\MobileSync\Backup directory.

MacOS:

1. Connect your device to the computer and, if necessary, confirm that you trust the computer.
2. Your device should now be displayed in Finder. Select it and then click “Create backup”.
3. The created backup will be saved in the ~/Library/Application Support/MobileSync/Backup/ directory.

Linux:

1. Install the “libimobile device” library.
2. Connect your device to the computer and create a backup using the command “idevicebackup2 backup –full”.
3. During the backup process, enter your device’s passcode as requested.

The next step is to use Kaspersky’s “triangle_check” scanner to scan iOS backups.

Kaspersky has released the scanner as binary versions for Windows and Linux and a cross-platform Python package made available via the PyPI.

Python package:

1. Get ‘triangle_check’ from PyPI using the following command: python -m pip install triangle_check
2. Alternatively, the tool can be created from GitHub by running:
3. git clone https://github.com/KasperskyLab/triangle_check
4. cd triangle_check
5. python -m build
6. python -m pip install dist/triangle_check-1.0-py3-none-any.whl

After that, use this command to launch the tool: python -m triangle_check path to created backup.

Windows Binary:

The Windows binary is available via Kaspersky public GitHub repository. To use it, follow these instructions:

1. Download the triangle_check_win.zip archive from the GitHub releases page and unzip it.
2. Launch the command prompt (cmd.exe) or PowerShell.
3. Change your directory to the one with the unzipped archive (for example, cd %userprofile%\Downloads\triangle_check_win).
4. Run triangle_check.exe, specifying the backup path as an argument (for example, triangle_check.exe “%appdata%\Apple Computer\MobileSync\Backup\00008101-000824411441001E-20230530-143718”).

Linux Binary:

The Linux binary is available via Kaspersky public GitHub repository. To use it, follow these instructions:

1. Download the triangle_check_win.zip archive from the GitHub releases page and unzip it.
2. Launch the terminal.
3. Change your directory to the one with the unzipped archive (eg cd ~/Downloads/triangle_check_linux).
4. Authorize the execution of the utility with the command “chmod +x triangle_check”.
5. Launch the utility specifying the backup path as an argument (for example, ./triangle_check ~/Desktop/my_backup/00008101-000824411441001E-20230530-143718).

When launched and pointed to the iOS backup path, the triangle_check tool generates one of the following scan results:

• DETECTED: It means that the malware “Operation Triangulation” has infected the device without any doubt.
• SUSPICION: The scan found indicators of compromise indicating probable infection, but there is not enough evidence to support a conclusive result.
• No trace of compromise has been identified: The scanner did not detect any signs of compromise for the malware family in question.

Note that the above results, especially negative results, may not be entirely reliable or treated as definitive assurances that the device is clean.

As analysis of the malware is ongoing, additional indicators of compromise or even a newer variant that infects newer iOS versions may be discovered later.

A targeted malware campaign

Typically, spy-focused malware distribution campaigns such as “Operation Triangulation” target specific individuals or companies rather than the general population, so most people using the checker should get a clean result.

However, Kaspersky’s tool could be handy for people in critical roles in important organizations, people at heightened risk of state-sponsored espionage, and those working in companies or departments that act as information centers.

Currently, the exact origin of the malware and the orchestrators of Operation Triangulation remain unknown; therefore, the scope of targeting and victimology have not been determined.