Full Report
Follows suggestions iPhone-pwning toolset bears hallmarks of zero-days that targeted Russian diplomats Russian cybersecurity outfit Kaspersky is waving away claims that an iPhone exploit kit recently uncovered by Google was developed by the same people who were behind a group of zero-days that allegedly compromised thousands of Russian diplomats in a 2023 campaign.…
Analysis Summary
# Tool/Technique: Coruna Exploit Kit
## Overview
Coruna is a highly sophisticated, multi-stage iOS exploit kit used by state-sponsored actors and potentially commercial spyware vendors. It is designed to compromise iPhones via "water hole" attacks—infecting devices when a user visits a compromised or malicious website. The toolkit is notable for its modularity, containing a library of 23 distinct vulnerabilities used to construct at least five unique full exploit chains.
## Technical Details
- **Type:** Exploit Kit / Framework
- **Platform:** iOS (Versions 13 through 17.2.1)
- **Capabilities:** Remote Code Execution (RCE), Kernel Privilege Escalation, Hardware Security Bypass, Geofencing.
- **First Seen:** Tracked by Google since February 2025 (utilizing vulnerabilities dating back to 2019).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1189 - Drive-by Compromise]
- **[TA0002 - Execution]**
- [T1203 - Exploitation for Client Execution]
- [T1106 - Native API]
- **[TA0004 - Privilege Escalation]**
- [T1068 - Exploitation for Privilege Escalation]
- **[TA0005 - Defense Evasion]**
- [T1620 - Reflective Code Loading]
- **[TA0007 - Discovery]**
- [T1614 - System Location Discovery] (via Geofencing)
## Functionality
### Core Capabilities
- **Watering Hole Delivery:** Delivered via hidden iFrames on compromised legitimate websites (e.g., Ukrainian industrial and e-commerce sites) or fake Chinese financial/crypto sites.
- **Modular Exploit Library:** Contains 23 vulnerabilities, allowing the kit to adapt to different iOS versions (13 through 17.2.1).
- **Geofencing:** Specifically targets users from a "specific geolocation" while ignoring others to avoid detection.
- **JavaScript Framework:** Used to orchestrate the initial stages of the exploit and deliver the payload.
### Advanced Features
- **Hardware-Level Bypass:** Utilizes CVE-2023-38606 ("Gallium") to exploit undocumented Apple hardware features, bypassing chip-level security protections.
- **Kernel Mastery:** Utilizes CVE-2023-32434 ("Photon") to gain full control over the iOS kernel.
- **Novel Frameworks:** Employs non-public techniques and sophisticated code structures that suggest high-budget development (estimated in the millions of dollars).
- **English Codenames:** Exploits within the kit use English bird/science codenames (e.g., "Cassowary," "Neutron").
## Indicators of Compromise
*Note: Specific hashes and full domains are provided in the referenced Google GTIG technical report. Below are generalized indicators based on the text.*
- **File Names:** Debug versions of the kit may contain strings or metadata referencing "Cassowary," "Neutron," "Photon," or "Gallium."
- **Network Indicators:**
- Hostnames associated with fake Chinese finance/cryptocurrency websites.
- Domains used to host the malicious JavaScript framework [defanged]: `hxxp[:]//example-malicious-domain[.]com/iframe.js`
- **Behavioral Indicators:**
- High-volume outbound requests to unknown C2s following a visit to a compromised website.
- Hidden iFrame injections in web traffic on iOS devices.
## Associated Threat Actors
- **UNC/State-Sponsored Groups:** Observed targeting Ukrainian industrial targets and Chinese-speaking users.
- **Commercial Spyware Vendors:** Suspected due to the high cost of development and sophistication.
- **Speculative Attribution:** Some researchers suggest links to US-aligned actors due to English codenames and similarities to "Operation Triangulation," though Kaspersky disputes this, citing a lack of code reuse.
## Detection Methods
- **Signature-based detection:** Detection of the specific JavaScript framework used to deliver Coruna.
- **Behavioral detection:** Monitoring for exploitation of known CVEs (listed below) on iOS devices.
- **Geographic Anomaly Detection:** Identifying redirects to iFrames based on specific IP geolocations.
## Mitigation Strategies
- **Prevention measures:**
- Update iOS devices to the latest version (Coruna targets up to 17.2.1; newer versions contain patches for major components).
- Enable **Lockdown Mode** on iOS for high-risk users to reduce the attack surface of WebKit.
- **Hardening recommendations:** Use mobile threat defense (MTD) solutions to detect suspicious network activity and system integrity breaches.
## Related Tools/Techniques
- **Operation Triangulation:** A 2023 campaign targeting Russian diplomats that shared two vulnerabilities (CVE-2023-32434 and CVE-2023-38606) with Coruna.
- **Commercial Spyware (Pegasus/Predator):** Similar in delivery model and sophistication level.
- **Vulnerabilities Utilized:**
- CVE-2024-23222 ("Cassowary")
- CVE-2020-27932 ("Neutron")
- CVE-2023-32434 ("Photon")
- CVE-2023-38606 ("Gallium")