In early 2023, the Kaspersky team detected an ongoing attack targeting iPhones and iPads within their organization. They initiated a digital forensics and incident response (DFIR) protocol to locate and extract the malware responsible for the attack. After investigating network traffic, they discovered suspicious connections to specific servers before the devices exhibited suspicious behavior. Unfortunately, they were unable to recover additional details from the traffic due to HTTPS encryption. They also encountered challenges when attempting to inspect the devices’ contents using available forensics acquisition software. To obtain more information about the attackers, the team used iTunes backups of the devices and analyzed them to identify potential compromise. They discovered anomalous activity from a process named “BackupAgent” and developed a tool to identify traces of compromise. When intercepting iMessages through a Mac device failed, they attempted to decrypt HTTPS communications with the C2 servers. However, they were unable to decrypt iMessage traffic due to SSL pinning. They then used a JavaScript validator to collect information about victim browsers, but the traffic was encrypted using the NaCl library. To decrypt the communications, the team compromised the process of generating the key pair used by the validator. They obtained the exploits used by the attackers and discovered that the malicious attachment
https://securelist.com/operation-triangulation-catching-wild-triangle/110916/