Google Threat Intelligence Group (GTIG) disclosed the Coruna iOS exploit kit — a commercial-grade package of five full exploit chains and 23 exploits that target iPhone models running iOS 13.0 through 17.2.1 and that was observed in operations by multiple actors including a surveillance-customer operator, UNC6353, and UNC6691. #Coruna #PLASMAGRID
Keypoints
- GTIG recovered the Coruna exploit kit, which contains five full iOS exploit chains and a total of 23 exploits affecting iOS 13.0 → 17.2.1, with several exploits using non-public techniques and mitigation bypasses.
- The exploit kit uses an obfuscated JavaScript framework for device fingerprinting to select and deliver the appropriate WebKit RCE, followed by PAC and other kernel bypasses.
- Coruna was first seen from a surveillance vendor customer, later used in watering-hole attacks on Ukrainian sites by UNC6353, then repurposed in large-scale scam campaigns by UNC6691, indicating exploit proliferation in secondary markets.
- Final-stage payload (PlasmaLoader / PLASMAGRID) injects into powerd as root and focuses on stealing cryptocurrency-related information (QR codes, BIP39 phrases, wallet app data) and fetching additional modules from C2 servers.
- The framework employs multiple operational protections and features: Lockdown Mode checks, unique cookie-derived resource URLs, ChaCha20-encrypted binary blobs, a custom file format (0xf00dbeef header), LZW compression, and .min.js-served encrypted modules.
- GTIG added identified domains to Safe Browsing, published YARA rules, and provided IOCs (file hashes, bundle IDs, delivery URLs, C2 domains) to help detection and remediation; users are urged to update iOS or enable Lockdown Mode if updates are not possible.
MITRE Techniques
- [T1203 ] Exploitation for Client Execution – WebKit remote code execution exploits were loaded based on device fingerprinting (‘it loads the appropriate WebKit remote code execution (RCE) exploit’).
- [T1059.007 ] Command and Scripting Interpreter: JavaScript – the exploit framework is a heavily obfuscated JavaScript delivery and loader (‘The JavaScript framework used these constructs to encode strings and integers’).
- [T1055 ] Process Injection – the final loader injects into a privileged system process to run payloads (‘The loader is injecting itself into powerd, a daemon running as root on iOS.’).
- [T1005 ] Data from Local System – the implant collects local artifacts such as images and notes to extract wallet data and backup phrases (‘the payload can decode QR codes from images on disk’ and scans Apple Memos for “backup phrase”).
- [T1041 ] Exfiltration Over C2 Channel – collected data is encrypted and POSTed to remote C2 endpoints over HTTPS with AES (‘collected data encrypted and POST’ed with AES using the SHA256 hash of a static string as key’).
- [T1483 ] Domain Generation Algorithms – the implant uses a custom DGA seeded with “lazarus” to generate fallback C2 domains (English quote: ‘The implant embeds a custom domain generation algorithm (DGA) using the string “lazarus” as seed to generate a list of predictable domains.’).
Indicators of Compromise
- [File Hashes ] hashes for implant modules and payloads – com.apple.assistd: 2a9d21ca07244932939c6c58699448f2147992c1f49cd3bc7d067bd92cb54f3a, com.bitkeep.os: 6eafd742f58db21fbaf5fd7636e6653446df04b4a5c9bca9104e5dfad34f547c (and ~20 more hashes listed in the GTIG collection).
- [Bundle IDs ] identifiers used by implants and modules – com.apple.assistd (PLASMAGRID/PlasmaLoader), com.bitkeep.os (wallet-targeting module).
- [Delivery URLs / Watering Hole URLs ] pages delivering Coruna exploit kit – http://cdn.uacounter[.]com/stat.html (Ukrainian watering-hole), https://ai-scorepredict[.]com/static/analytics[.]html (UNC6691-delivered scam site), and many other scam/delivery URLs listed in the report.
- [C2 Domains ] PLASMAGRID command-and-control domains (DGA-generated .xyz domains) – vvri8ocl4t3k8n6[.]xyz, rlau616jc7a7f7i[.]xyz (and dozens of additional .xyz domains in the PLASMAGRID list).
- [File names / Formats ] runtime blob and module formats referenced in delivery – resources served with .min.js suffix and custom package header 0xf00dbeef (e.g., encrypted .min.js blobs and LZW-compressed custom files).
Read more: https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit/