Coruna - Inside the Nation-State

Coruna - Inside the Nation-State

Today, Google’s Threat Intelligence Group published findings on what they’ve named Coruna, a powerful iOS exploit kit containing 23 exploits across five full exploit chains targeting iPhones running iOS 13 through 17.2.1. Over the past several weeks, iVerify researchers have been conducting independent technical analysis of this same exploit kit, tracking infrastructure, analyzing payloads, and mapping the exploit chain, including the discovery of the delivery infrastructure. Our research corroborates and extends what Google has published. Coruna is one of the most significant examples we’ve observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations. Furthermore, it confirms what iVerify has long argued: the mobile threat landscape is not standing still, and the tools once reserved for targeting heads of state are now being deployed against ordinary iPhone users. 🚀

A couple of weeks ago, iVerify discovered a suspicious-looking domain mxbc-v2[.]tjbjdod[.]cn. On accessing the domain with an iPhone on iOS 16, researchers observed that the domain hosted a set of exploits on https://mxbc-v2.tjbjdod.cn/static/analytics.html. The obtained 1-click exploit chains consist of Remote Code Execution (RCE) in Safari and a Local Privilege Escalation (LPE) exploit allowing attackers to take control over infected devices. Internally, iVerify called the exploit kit CryptoWaters, as it contained a set of modules targeted at cryptocurrency wallets and deployed as a waterhole attack. The same exploit chain was also observed by Google Threat Intelligence Group and called Coruna, and used by a Russian Threat Actor in Ukraine. Notably, the exploit chains did not contain any specific targeting or one-time links; anyone who would have gone to the website with a vulnerable iOS version could get infected. This is not typical for targeted attacks used by nation-states, but rather e-criminal groups. 🔍

During the device compromise process, different components of the exploit chain run validation checks. The initial stage of the Safari Remote Code Execution (RCE) exploit checks for various conditions. Once the LPE is completed, it will load 73b26374b1c8df29c163775c2cd1f735ff6acd56.min.js inside powerd. This can be considered a second stage implant. This implant checks in with a command and control server, specifically aidm8it5hf1jmtj[.]xyz, starting with an HTTP HEAD message and subsequently retrieving a config file from /details/show.html. The researchers note that powerd is used as a host for the first implant, and the chains clearly try to clean up previous unsuccessful exploitation attempts. Further details and Indicators of Compromise (IOCs) on how to find the attack on a device and via forensic acquisition are shared by the researchers, with ongoing analysis expected to reveal more in the coming weeks. 📊

To read the complete article see: Read full article