The kernel takes advantage of two security vulnerabilities used in a recently released Apple iOS exploit kit known as Coruna is an updated version of the same exploit used in the Operation Triangulation campaign back in 2023, according to new findings from Kaspersky.
“When Coruna was first reported, public evidence was not enough to link its code to Triangulation – the shared vulnerability alone does not prove that it is one of the authors,” Boris Larin, chief security researcher at Kaspersky GReAT, told The Hacker News in a statement.
“Coruna is not a patchwork of public exploits; it is an ongoing evolution of the original Operation Triangulation framework. The inclusion of checks for the latest processors like the M3 and the new iOS build shows that the original developers have actively expanded this codebase. What started as a precision spying tool is now being used indiscriminately.”
Coruna was first documented by Google and Verify earlier this month targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
Although the use of the kit was first used by an unnamed client of the surveillance company early last year, it has since been discovered by a Russian-allied state actor suspected of having ties to Russia in attacks on water wells in Ukraine and a mass exploitation campaign that used a collection of fake Chinese gambling and cryptocurrency websites to deliver malware known as PlaakaID to steal GRASMAL information (known as PlaakaInformation Theft).
The exploit kit contains five full iOS exploit chains and a total of 23 exploits, including CVE-2023-32434 and CVE-2023-38606, both of which were first used as zero days in Operation Triangulation, a complex campaign targeting mobile devices involving the exploitation of four Apple vulnerability systems.
Recent findings from Kaspersky showed the kernel exploits in both Triangulation and Coruna were created by the same author, with Coruna also using four additional kernel exploits. The Russian security vendor said all these exploits are built on the same kernel exploit framework and share the same code.
Specifically, the code includes support for Apple’s A17, M3, M3 Pro, and M3 Max processors, as well as checks for iOS 17.2 and iOS version 16.5 beta 4, the latter of which patched all four vulnerabilities used as part of Operation Triangulation. The iOS 17.2 check, on the other hand, is designed to address new exploits, Kaspersky said.
The start of the attack is when the user visits a compromised website in Safari, which causes the stager to fingerprint the browser and provide the appropriate exploit based on the browser and operating system version. This, in turn, paves the way for the creation of a payload that causes kernel exploitation.
“After downloading the necessary components, the payload starts running kernel exploits, Mach-O loaders, and a malware launcher,” Kaspersky said. “The payload selects the appropriate Mach-O loader based on firmware version, CPU, and the presence of the iokit-open-service permission.”
The launcher is the main orchestrator responsible for starting the post-exploit tasks, running the kernel exploit to crash and running the final installation. It also cleans exploit artifacts to hide intelligence traces.
“Initially developed for cyber-espionage purposes, this framework is now used by cybercriminals of a wide variety, putting millions of users with unpublished devices at risk,” said Larin. “Since it’s designed to be simple and easy to use, we expect that other threat actors will start incorporating it into their attacks.”
The development comes as a new version of the iPhone exploit kit DarkSword has been leaked on GitHub, raising concerns that it could arm many threat actors with advanced capabilities to compromise devices, effectively turning what was once an elite hacking tool into a framework for mass exploitation. The release of the new version was first reported by TechCrunch.
