Full Report
A previously undocumented set of 23 iOS exploits named "Coruna" has been deployed by multiple threat actors in targeted espionage campaigns and financially motivated attacks. [...]
Analysis Summary
# Tool/Technique: Coruna Exploit Kit
## Overview
Coruna is a sophisticated, previously undocumented iOS exploit kit comprising 23 distinct exploits and five full exploit chains. Initially developed by commercial surveillance vendors for targeted espionage, it has since "proliferated" to nation-state actors and financially motivated cybercriminals. The kit is designed to perform device fingerprinting and deliver high-level payloads, such as the **PlasmaGrid** (PlasmaLoader) malware.
## Technical Details
- **Type:** Exploit Kit / JavaScript Delivery Framework
- **Platform:** iOS (Versions 13.0 through 17.2.1)
- **Capabilities:** Remote Code Execution (RCE), sandbox escape, privilege escalation, and credential/crypto theft.
- **First Seen:** February 2025 (Activity attributed to surveillance vendors).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1189 - Drive-by Compromise] (Watering hole attacks/Fake websites)
- **[TA0002 - Execution]**
- [T1203 - Exploitation for Client Execution] (WebKit RCE)
- [T1059.007 - JavaScript] (Delivery framework)
- **[TA0004 - Privilege Escalation]**
- [T1068 - Exploitation for Privilege Escalation] (Kernel and PPL bypasses)
- **[TA0005 - Defense Evasion]**
- [T1622 - Debugger Evasion] (Fingerprinting and Lockdown Mode detection)
- [T1562.001 - Disable or Modify Tools] (Checking for private browsing)
- **[TA0006 - Credential Access]**
- [T1555 - Credentials from Web Browsers] (Targeting crypto wallet phrases)
- **[TA0011 - Command and Control]**
- [T1568.002 - Domain Generation Algorithms] (DGA with "lazarus" seed)
## Functionality
### Core Capabilities
- **Fingerprinting:** Identifies device hardware and OS versions to select the optimal exploit chain.
- **Anti-Analysis:** Automatically terminates execution if "Lockdown Mode" or "Private Browsing" is detected.
- **Exploit Chains:** Utilizes 23 exploits covering WebKit (RCE), PAC bypasses, Sandbox escapes, Kernel escalation, and PPL bypasses.
- **Modular Payload Delivery:** Drops **PlasmaLoader** (PlasmaGrid), which injects into the `powerd` root daemon.
### Advanced Features
- **Sophisticated Bypasses:** Employs non-public techniques and mitigation bypasses for modern iOS security features.
- **Hardware Exploitation:** Reuses techniques from "Operation Triangulation" that abuse undocumented hardware features in Apple devices.
- **Data Exfiltration:** Specifically targets BIP39 recovery phrases, "backup phrases," and Apple Memos data.
## Indicators of Compromise
- **File Names:** PlasmaLoader, PlasmaGrid
- **Network Indicators:**
- [DGA-generated domains utilizing .xyz TLD]
- [C2 addresses encoded within the JavaScript framework]
- Seed for DGA: `lazarus`
- **Behavioral Indicators:**
- Injection into the `powerd` iOS root daemon.
- Unexpected outbound connections from system daemons to `.xyz` domains.
## Associated Threat Actors
- **Commercial Surveillance Vendors:** Original authors (unnamed, but linked to government-grade spyware).
- **UNC6353:** Suspected Russian-linked actor using the kit for watering hole attacks on Ukrainian websites.
- **UNC6691:** Financially motivated Chinese actor targeting cryptocurrency users.
## Detection Methods
- **Signature-based detection:** Google Safe Browsing has indexed known malicious domains and delivery frameworks.
- **Behavioral detection:** Monitoring for unauthorized code injection into core iOS daemons (like `powerd`).
- **Device Health Checks:** Auditing for OS versions older than iOS 17.3 or the presence of specific temporary files associated with the WebKit exploit (CVE-2024-23222).
## Mitigation Strategies
- **Patch Management:** Update iOS to the latest version (minimum 17.3+ to mitigate CVE-2024-23222).
- **Hardening:** Enable **Lockdown Mode**, as the Coruna framework is designed to abort if this feature is active.
- **User Education:** Avoid visiting suspicious gambling or cryptocurrency-themed websites on mobile devices.
## Related Tools/Techniques
- **Operation Triangulation:** Shared exploitation techniques of undocumented hardware features.
- **CVE-2024-23222:** The primary WebKit vulnerability used for initial RCE.
- **PlasmaGrid:** The specific stager/loader used in conjunction with Coruna for financial theft.