Coruna iOS Exploit Kit Resurfaces
The Coruna iOS exploit kit has emerged as a significant threat, utilizing an updated version of a kernel exploit initially discovered in the 2023 Operation Triangulation campaign. According to Kaspersky’s recent analysis, this kit targets vulnerabilities in Apple iOS, posing a renewed risk to users.
Kaspersky’s principal security researcher, Boris Larin, emphasized that while initial reports lacked sufficient evidence linking Coruna to the Triangulation campaign, recent findings suggest that Coruna is an evolved version of the original framework. The developers have actively maintained and expanded the codebase, adapting it for modern processors and iOS iterations.
The Evolution of Coruna
Initially reported by Google and iVerify, the Coruna kit focuses on iPhones running iOS 13.0 to 17.2.1. Although it was first utilized by a surveillance company last year, its adoption has grown, with suspected Russian actors deploying it in Ukraine via watering hole attacks. The campaign also employed fake Chinese gambling and cryptocurrency sites to distribute the PlasmaLoader malware.
The kit comprises five complete iOS exploit chains and 23 distinct exploits. Among these are CVE-2023-32434 and CVE-2023-38606, which were originally zero-day vulnerabilities in the Triangulation campaign. Kaspersky’s findings indicate that the kernel exploits in both campaigns share an author, and Coruna incorporates four additional kernel exploits, all built on a shared framework.
Technical Advancements and Implications
The code now supports Apple’s latest processors, including the A17 and M3 series, and checks for iOS 17.2 and earlier versions like 16.5 beta 4, where previous vulnerabilities were patched. This indicates the inclusion of newer exploits, adapting to the latest iOS security measures.
The attack sequence begins when a user visits a compromised website via Safari. A stager fingerprints the browser, selecting the appropriate exploit based on the browser and OS version. This leads to the execution of a payload that deploys the kernel exploit. Kaspersky notes that the payload intelligently selects the Mach-O loader, considering the device’s firmware, CPU, and permissions.
Broader Implications and Future Risks
The attack framework, initially developed for espionage, is now widely accessible, potentially endangering millions of unpatched devices. Larin warns of its modular design, which allows easy reuse, suggesting that other threat actors may soon adopt it.
In a related development, the iPhone exploit kit DarkSword has been leaked on GitHub, raising concerns about empowering more threat actors with sophisticated capabilities. As these tools become more accessible, what was once exclusive to elite hackers could now enable widespread exploitation.
The situation underscores the importance of timely security updates and vigilance among users and organizations to mitigate potential threats.
