Google Threat Intelligence Group (GTIG) has uncovered "Coruna," a sophisticated iOS exploit kit containing 23 exploits and five full exploit chains targeting iOS versions 13.0 through 17.2.1. The kit's lifecycle demonstrates a significant trend in exploit proliferation; it was initially used by a commercial surveillance vendor, then by a Russian espionage group (UNC6353) for watering hole attacks in Ukraine, and finally by a Chinese financially motivated actor (UNC6691) via fake cryptocurrency websites. This migration suggests an active secondary market for advanced zero-day vulnerabilities and exploitation techniques.
Technically, Coruna uses a highly engineered framework to perform device fingerprinting, WebKit remote code execution (RCE), and pointer authentication code (PAC) bypasses. The final payload, known as PLASMAGRID, is a loader that injects into the powerd daemon to exfiltrate sensitive data. Specifically, it targets cryptocurrency wallets, BIP39 recovery phrases, and Apple Memos, utilizing a custom domain generation algorithm (DGA) for resilient command-and-control communication.
Top comments (0)