Russian AV vendor Kaspersky has published a new automated tool designed to make it easier for iOS users to test whether their device has been infected with malware delivered via a specific zero-click exploit.
The news follows details of a new espionage campaign, dubbed “Operation Triangulation” by Kaspersky, which it said dates back to 2019 and is ongoing.
Read more on zero-click exploits: New Zero-Click iOS Exploit Deploys Israeli Spyware.
The campaign was uncovered after Kaspersky found employee devices on its own global corporate network were infected with malware thought to have been deployed via a zero-click exploit.
Users receive an iMessage including an attachment containing the exploit. This will trigger a vulnerability leading to code execution, even if the user doesn’t open the attachment. That code is programmed to download additional payloads to the device, for privilege escalation and more, before deleting the original iMessage.
During its original post, Kaspersky explained how concerned users could test for the threat. However, it has now released an automated tool to make the process much easier.
“This process takes time and requires manual search for several types of indicators. To automate this process, we developed a dedicated utility to scan the backups and run all the checks,” Kaspersky wrote. “For Windows and Linux, this tool can be downloaded as a binary build, and for MacOS it can be simply installed as a Python package.”
Specific indicators of compromise (IoCs) will trigger a “detected” result in the triangle_check utility, while their absence means that users should see a message stating: “No traces of compromise were identified.”
However, a “suspicion” message indicates the presence of “a combination of less specific indicators” that points to “a likely infection,” according to the AV vendor.
Zero-click exploits of this sort have been popularized by several commercial spyware vendors like NSO Group, which are allegedly contracted by autocratic regimes. However, the Russian intelligence service (FSB) has tied this particular campaign without evidence to US spooks.
Editorial image credit: Ralf Liebhold / Shutterstock.com