Triangle Check: scan iTunes backups for traces of compromise by Operation Triangulation
This script allows to scan iTunes backups for indicator of compromise by Operation Triangulation.
For more information, please read Securelist
Contact: triangulation@kaspersky.com
Prerequisites
The script depends on: colorama (for pretty printing), pycryptodome
Installation
The triangle_check utility can be installed from PyPI (recommended):
python -m pip install triangle_check
The script can be run as-is (the subdirectory triangle_check is required):
python -m pip install -r requirements.txt
python triangle_check.py
It can also be built into a pip package:
git clone https://github.com/KasperskyLab/triangle_check
cd triangle_check
python -m build
python -m pip install dist/triangle_check-1.0-py3-none-any.whl
For Windows or Linux, alternatively use the binary builds of the triangle_check utility.
Usage
Usage: python -m triangle_check /path/to/iTunes_backup [backup_password]
iTunes backup location
Locate the backup directory created by iTunes. The exact location depends on the OS and is described here. The directory you are looking for should contain many subdirectories, and should include 'Manifest.db', 'Manifest.plist'. The backup may be encrypted with a password, if set up in iTunes. That password is required to decrypt password-protected backups.
Advanced: create backup with libimobiledevice
You can use the tool idevicebackup2 that is a part of the open-source package named libimobiledevice. Popular Linux distributions, macports and homebrew allow to install it out of the box, and the package can be built from the source code for Linux or OSX.
Scanning the backup
Run the tool against the backup directory. If there are any traces of suspicious activity, the script will print out SUSPICION or DETECTED lines with more information and detected IOCs, and that would mean that the device was most likely compromised.
Example output:
==== IDENTIFIED TRACES OF COMPROMISE (Operation Triangulation) ====
2022-*-* SUSPICION Suspicious combination of events:
* file modification: Library/SMS/Attachments/ab/11
* file attribute change: Library/SMS/Attachments/ab/11
* location service stopped: com.apple.locationd.bundle-/System/Library/LocationBundles/WRMLinkSelection.bundle
* file modification: Library/Preferences/com.apple.ImageIO.plist
* file attribute change: Library/Preferences/com.apple.ImageIO.plist
* file birth: Library/Preferences/com.apple.ImageIO.plist
* file modification: Library/Preferences/com.apple.locationd.StatusBarIconManager.plist
* file attribute change: Library/Preferences/com.apple.locationd.StatusBarIconManager.plist
* file birth: Library/Preferences/com.apple.locationd.StatusBarIconManager.plist
2022-*-* DETECTED Exact match by NetUsage : BackupAgent
2022-*-* DETECTED Exact match by NetTimestamp : BackupAgent
What's next?
The research on the Operation Triangulation is ongoing. For more updates, please check Securelist