ACCORDING to Google and iVerify, Coruna is a modular exploit framework used in Operation Triangulation that was first disclosed in reports about a highly sophisticated iPhone-targeting kit. The Securelist piece notes that the exploit kit targets Apple iPhone devices and was initially seen in targeted attacks by an unnamed surveillance vendor’s customer, later appearing in watering-hole attacks in Ukraine and financially motivated campaigns in China.
Researchers found that Coruna includes four additional kernel exploits and that one of its kernel exploits is an updated version of the exploit used in Operation Triangulation, built on a shared codebase. The analysis details that the payload decrypts additional components via ChaCha20, with various file packages including kernel exploits, Mach-O loaders, and a launcher, and identifies observed package IDs such as 0x90000 for kernel exploits and 0x70000 for a list of components.
The report highlights CVE-2023-32434 and CVE-2023-38606 as exploits included in Coruna, which had been first discovered during Triangulation. It concludes by warning that the framework’s modular design facilitates reuse by different threat actors and urges users to apply the latest security updates promptly.