Full Report
The kernel exploit for two security vulnerabilities used in the recently uncovered Apple iOS exploit kit known as Coruna is an updated version of the same exploit that was used in the Operation Triangulation campaign back in 2023, according to new findings from Kaspersky. "When Coruna was first reported, the public evidence wasn't sufficient to link its code to Triangulation — shared
Analysis Summary
# Tool/Technique: Coruna (updated Triangulation Exploit)
## Overview
**Coruna** is a sophisticated iOS exploit kit recently uncovered in the wild. Research indicates it utilizes an updated version of the kernel exploit previously associated with the high-profile **Operation Triangulation** campaign. The kit leverages a chain of vulnerabilities to achieve kernel-level execution on Apple mobile devices, demonstrating a direct evolutionary link between the two campaigns through shared code structures and exploitation logic.
## Technical Details
- **Type:** Malware / Exploit Kit
- **Platform:** iOS (Apple mobile devices)
- **Capabilities:** Kernel-level exploitation, privilege escalation, bypass of hardware-based security mitigations (PAC/PPL).
- **First Seen:** 2023 (Operation Triangulation); 2024 (Coruna variant reported).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1475 - Exploitation of Remote Services (Zero-click messaging vulnerabilities)
- **TA0004 - Privilege Escalation**
- T1611 - Escape to Host (Kernel exploitation)
- T1404 - Exploitation for Privilege Escalation
- **TA0005 - Defense Evasion**
- T1620 - Reflective Code Loading
- T1548 - Abuse Elevation Control Mechanism
## Functionality
### Core Capabilities
- **Vulnerability Chaining:** Orchestrates multiple exploits to move from a sandbox environment to the kernel.
- **Kernel Memory Manipulation:** Capability to read and write to kernel memory to disable security checks.
- **Persistent Access:** While primarily memory-resident, the kit is designed to facilitate the deployment of secondary spy modules.
### Advanced Features
- **Hardware-Level Bypass:** Specifically designed to circumvent advanced Apple security features such as Pointer Authentication Codes (PAC) and Page Protection Layer (PPL).
- **Code Evolution:** The Coruna variant includes updated offsets and logic to target newer iOS versions that were previously patched or adjusted after the original Triangulation discovery.
## Indicators of Compromise
*Note: Specific hashes for the Coruna variant are often unique to specific targets (one-time-use links or polymorphic payloads).*
- **File Hashes:** [Specific hashes are typically restricted to private intelligence; refer to Kaspersky's leaked Triangulation samples for baseline comparisons]
- **Network Indicators:**
- `backuun[.]com` (Defanged)
- `dnipu[.]com` (Defanged)
- **Behavioral Indicators:**
- Unusual process crashes in `IMDPersistenceAgent`.
- Anomalous memory usage patterns in Apple's web or messaging frameworks.
## Associated Threat Actors
- **Operation Triangulation Actors:** While the specific group remains unnamed by many vendors, the complexity suggests a highly sophisticated, state-sponsored APT (Advanced Persistent Threat).
## Detection Methods
- **Signature-based detection:** Scanning for specific shellcode patterns identified in the Triangulation and Coruna exploit chains.
- **Behavioral detection:** Monitoring for unexpected kernel-level memory modifications or system calls originating from sandboxed applications.
- **System Integrity Checks:** Using tools like MVT (Mobile Verification Toolkit) to scan for "remnants" of the exploit kit in mobile backups.
## Mitigation Strategies
- **Operating System Updates:** Immediately update iOS to the latest version to patch the underlying vulnerabilities exploited by the kit.
- **Reboot Schedule:** Regular reboots can clear memory-resident exploits (though re-infection is possible through 1-click or 0-click triggers).
- **Lockdown Mode:** Enabling Apple's "Lockdown Mode" significantly reduces the attack surface for complex exploit kits like Coruna.
## Related Tools/Techniques
- **Operation Triangulation:** The predecessor and code-base origin of the Coruna kit.
- **Pegasus (NSO Group):** Similar in objective and sophistication regarding iOS kernel exploitation.
- **CVE-2023-32434 / CVE-2023-38606:** Vulnerabilities previously leveraged by this family of exploits.