CORUNA iOS Kit reuses the 2023 Triangulation exploit code in a new mass-attacks campaign, an update that, according to new findings from Kaspersky, forms part of a continuously maintained evolution of the original Operation Triangulation framework. The evidence from Kaspersky’s analysis indicates the kernel exploits in Triangulation and Coruna were created by the same author, with Coruna adding four additional kernel exploits and targeting newer processors such as A17 and M3 family.
Coruna targets Apple iPhone models running iOS versions between 13.0 and 17.2.1, and its campaign has involved a mass exploitation approach using a cluster of fake Chinese gambling and cryptocurrency websites to deliver PlasmaLoader, with claims that a Russia-aligned nation-state actor used it in Ukraine watering-hole attacks. The kit contains five full iOS exploit chains and a total of 23 exploits, including CVE-2023-32434 and CVE-2023-38606, which were first used as zero-days in Operation Triangulation.
The starting point of the attack is visiting a compromised website on Safari, where a stager fingerprints the browser to serve the appropriate exploit and trigger kernel exploits before the payload executes Mach-O loaders and the final implant, according to Kaspersky.