Cybersecurity researchers at Kaspersky have uncovered strong evidence that the recently discovered Coruna iOS exploit kit is not a new creation from scratch, but rather a continuously maintained evolution of the same exploit framework used in the sophisticated Operation Triangulation campaign back in 2023.
When Coruna was first publicly reported earlier this month by Google and iVerify, the connection wasn’t immediately clear. However, deeper analysis by Kaspersky’s Global Research and Analysis Team (GReAT) shows that the kernel exploits in Coruna share the same author and core codebase as those from Triangulation.
Boris Larin, Principal Security Researcher at Kaspersky, explained: “Coruna is not a patchwork of public exploits. It is a continuously maintained evolution of the original Operation Triangulation framework.” He noted that the inclusion of support for newer hardware like the M3 series processors and recent iOS versions demonstrates active development by the original authors.
Overview of Coruna
Coruna is an exploit kit that targets the following iPhones with iOS version 13.0 to 17.2.1 and includes five different full chains of exploits against these iPhones where there are 23 total exploitable vulnerabilities including two zero-day vulnerabilities that were previously exploited during Operation Triangulation have also been used against the Coruna exploit kits:
1. CVE-2023-32434
2. CVE-2023-38606
The kit also features four additional kernel exploits built on the same underlying framework. It includes smart version and hardware checks for Apple’s A17, M3, M3 Pro, and M3 Max chips, as well as specific iOS builds (including 17.2 and the 16.5 beta 4 patch that closed the original Triangulation vulnerabilities).
How the Attack Works
The attack typically begins when a user visits a compromised website using Safari. The site serves a stager that fingerprints the device’s browser and iOS version, then delivers the appropriate exploit chain. Once the kernel is compromised, the payload executes Mach-O loaders and launches the final malware implant — in some cases identified as PlasmaLoader (also known as PLASMAGRID).
The main purpose of the launcher element is to orchestrate everything that happens within the system, and once those functions are finished, they will clean up themselves and all artifacts previously created to limit forensic traces left behind.
From Espionage to Mass Exploitation
Coruna started as a targeted espionage tool, but has recently been seen being repurposed into a broader-scope exploit by targeting multiple threat actors, not just those looking to conduct espionage.
Below are two examples of how Coruna has been diversified:
1. Watering hole attacks in Ukraine
2. Mass exploitations with clusters of fake Chinese gambling and cryptocurrency websites.
Therefore, what we have already seen is a shift in how advanced exploit frameworks, which had been used only for nation-state operations are now also available to other types of actors.
Kaspersky has also stated that due to the modular nature of Coruna and the ease of reusing design components, it is highly plausible that other groups will take advantage of Coruna's framework in their own operations.
Additionally, Kaspersky's alert comes on the back of a recently leaked new version of another iOS exploit kit, DarkSword that was posted to GitHub. This creates an even lower barrier for attackers attempting to compromise iPhones through known vulnerabilities.
Key Takeaway
A huge amount of people still run old or unpatched iOS devices that are vulnerable to being attacked, and Apple has patched the vulnerabilities exploited by Corona in new iOS versions, so getting an update as soon as possible is one of the best defenses against this type of attack!
If you have an iPhone that is running iOS 17.2.1 or earlier, it is highly recommended that you update it to minimize the risk of being attacked. Advanced exploit kits like Coruna show that even sophisticated zero-day chains can eventually find their way into more widespread campaigns.
Source: The Hacker News
