- Google researchers discover a very complex exploit kit, called ‘Coruna’
- The kit was deployed by a surveillance software customer before being used by Russian and Chinese threat actors
- Documentation from the set shows evidence of being developed by the US government
A highly complex exploit kit targeting iPhones has been discovered by researchers from the Google Threat Intelligence Group (GTIG), which contains non-public exploits and workarounds.
The kit, traced as “Coruna”, was initially used in targeted attacks by a customer of an unnamed surveillance firm, before also appearing in use by Russian and Chinese threat actors before the full kit could be obtained by GTIG.
Further research by the iVerify team into the sources of the exploits contained in the kit has indicated that the kit may have been developed as a US government framework.
iPhone exploit kit developed by the US government
The Coruna exploit kit is not like any ordinary malware developed by a common hacker or garden hacker.
The complexity of the kit, which contains 23 exploits that work in different configurations to form five full exploit chains, means that the kit was assembled by a nation state. The exploit kit is also unique in that it works to compromise devices en masse, rather than the surgically targeted nature of spyware developed by surveillance companies, with iVerify calling Coruna the “first known mass iOS attack.”
The full exploit kit was obtained by Google after a Chinese threat actor deployed the kit for use on several gambling and cryptocurrency sites. However, when analyzed by iVerify, the exploit kit contained extensive documentation written in native English. The highly organized nature of the kit’s framework also shared similarities with frameworks developed by the US government.
The final payload of the exploit kit obtained from the Chinese threat actors was designed to access and retrieve financial information such as crypto wallets as well as media files and sensitive personal information.
iVerify further notes that Coruna has followed a similar trajectory to spyware and exploits developed by surveillance vendors that are then sold to governments. The exploits are deployed in nature by the end user, such as a government agency, where they can be picked up and stolen by other threat actors and deployed.
The most notable example of this is the EternalBlue exploit software, which used a zero-day exploit to compromise Microsoft devices. EternalBlue was actively used by the US National Security Agency (NSA) for several years, with Microsoft only becoming aware of the zero-day after EternalBlue was stolen.
The iVerify team added that “Brokers cannot trust these options and business-to-business transactions over the spyware market are highly unregulated.” The Pall Mall process – an international framework developed to deal with the irresponsible development and sale of spyware and surveillance software – was specifically designed to prevent the exact situation that occurred with EternalBlue and may have occurred with the Coruna kit.
How to stay protected
The Coruna kit uses exploits deployed against iPhones running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). By upgrading to the latest iOS version, your device will be protected against all the exploits used in the Coruna kit.
Users who are unable to upgrade their device to the latest iOS version must place their iPhone in locked mode. To do this, take the following steps:
- Go to Settingsso Privacy and security
- Scroll down and tap Lock mode
- Press on Turn on lock mode
Users who believe their device may have been infected should consult the GTIG indicators of compromise and iVerify’s ‘How to get rid of it’ section.
The best antivirus for all budgets
