Coruna: the new exploit kit targeting iPhone users

[coinlary]

This is for the iPhone Users

Google just  analyzed a powerful exploit kit named Coruna. The exploit kit contains exploits that work on different versions between iOS 13 and iOS 17.2.1.

The crazy part is that the exploit kit bundles up to 23 other exploit pieces, plus some well known existing exploits.

Code:

iOS 13 -- 15.1.1
Exploit: buffout
Type: WebContent R/W
Patched in: iOS 15.2
CVE: CVE-2021-30952

iOS 15.2 -- 15.5
Exploit: jacurutu
Type: WebContent R/W
Patched in: iOS 15.6
CVE: CVE-2022-48503

iOS 15.6 -- 16.1.2
Exploit: bluebird
Type: WebContent R/W
Patched in: iOS 16.2
CVE: none assigned

iOS 16.2 -- 16.5.1
Exploit: terrorbird
Type: WebContent R/W
Patched in: iOS 16.6
CVE: CVE-2023-43000

iOS 16.6 -- 17.2.1
Exploit: cassowary
Type: WebContent R/W
Patched in: iOS 16.7.5 and 17.3
CVE: CVE-2024-23222

iOS 13 -- 14.x
Exploit: breezy
Type: WebContent PAC bypass
Patched version: unknown
CVE: none

iOS 15 -- 16.2
Exploit: breezy15
Type: WebContent PAC bypass
Patched version: unknown
CVE: none

iOS 16.3 -- 16.5.1
Exploit: seedbell
Type: WebContent PAC bypass
Patched version: unknown
CVE: none

iOS 16.6 -- 16.7.12
Exploit: seedbell_16_6
Type: WebContent PAC bypass
Patched version: unknown
CVE: none

iOS 17 -- 17.2.1
Exploit: seedbell_17
Type: WebContent PAC bypass
Patched version: unknown
CVE: none

iOS 16.0 -- 16.3.1 and 16.4.0 (devices ≤ A12)
Exploit: IronLoader
Type: WebContent sandbox escape
Patched in: iOS 15.7.8 and 16.5
CVE: CVE-2023-32409


iOS 16.4.0 -- 16.6.1 (A13–A16 devices)
Exploit: NeuronLoader
Type: WebContent sandbox escape
Patched in: iOS 17.0
CVE: none

iOS 13.x
Exploit: Neutron
Type: Privilege escalation
Patched in: iOS 14.2
CVE: CVE-2020-27932

iOS 13.x
Exploit: Dynamo
Type: Privilege escalation info-leak
Patched in: iOS 14.2
CVE: CVE-2020-27950

iOS 14 -- 14.4.x
Exploit: Pendulum
Type: Privilege escalation
Patched in: iOS 14.7
CVE: none

iOS 14.5 -- 15.7.6
Exploit: Photon
Type: Privilege escalation
Patched in: iOS 15.7.7 and 16.5.1
CVE: CVE-2023-32434

iOS 16.4 -- 16.7
Exploit: Parallax
Type: Privilege escalation
Patched in: iOS 17.0
CVE: CVE-2023-41974

iOS 15.2 -- 17.2.1
Exploit: Gruber
Type: Privilege escalation
Patched in: iOS 16.7.6 and 17.3
CVE: none

iOS 13.x
Exploit: Quark
Type: PPL bypass
Patched in: iOS 14.5
CVE: none

iOS 14.x
Exploit: Gallium
Type: PPL bypass
Patched in: iOS 15.7.8 and 16.6
CVE: CVE-2023-38606

iOS 15.0 -- 16.7.6
Exploit: Carbone
Type: PPL bypass
Patched in: iOS 17.0
CVE: none

iOS 17.0 -- 17.3
Exploit: Sparrow
Type: PPL bypass
Patched in: iOS 16.7.6 and 17.4
CVE: CVE-2024-23225

iOS 17.1 -- 17.4
Exploit: Rocket
Type: PPL bypass
Patched in: iOS 16.7.8 and 17.5
CVE: CVE-2024-23296

Also,

At the end of the exploitation chain, a stager binary called PlasmaLoader(tracked by GTIG as PLASMAGRID), using com.apple.assistd as an identifier, facilitates communication with the kernel component established by the exploit. The loader is injecting itself into powerd, a daemon running as root on iOS.
The injected payload doesn’t exhibit the usual capabilities that we would expect to see from a surveillance vendor, but instead steals financial information. The payload can decode QR codes from images on disk. It also has a module to analyze blobs of text to look for BIP39word sequences or very specific keywords like “backup phrase” or “bank account.” If such text is found in Apple Memos it will be sent back to the C2.

Target: v13.0 to 17.2.1

To the iPhone users who complain that their device will malfunction when they upgrade, it is high time you update or get newer models. Otherwise, it is better to switch to an Android device that can run the latest Android versions.

Full Blog detail : https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit

[Nwada001]

Android devices also have their own vulnerabilities, which these hackers have used to target them—the ones that have been identified and reported and the ones we know about. My iOS should be 18+, which means I should be safe from the attack if the report is right, but I will still have to upgrade mine to iOS 26.3.

[BitMaxz]

Android devices also have their own vulnerabilities, which these hackers have used to target them—the ones that have been identified and reported and the ones we know about. My iOS should be 18+, which means I should be safe from the attack if the report is right, but I will still have to upgrade mine to iOS 26.3.

Older Apple units no longer have any updates; it seems that they target almost all iPhone X and below that are still under that version. The above units have iOS 18 and above.

Before, we thought that iPhones were more secure than Windows and Android, but it seems these days there's no safe phone anymore.
However, it looks like it's their way to force people to switch to new iPhone units to avoid these attacks.

[coinlary]

Android devices also have their own vulnerabilities, which these hackers have used to target them—the ones that have been identified and reported and the ones we know about. My iOS should be 18+, which means I should be safe from the attack if the report is right, but I will still have to upgrade mine to iOS 26.3.

Cloud.google is an official  Google domain and the exploit was exposed by Google Threat Intelligence Group (GTIG). If you go through the URL I posted you will see that in the introduction part.
Many outlets already published it on their sites,you might be interested in  reading this too: CISA Adds iOS Flaws From Coruna Exploit Kit to KEV List.
 v18+ should be safe against the known but it's  still better you update to latest.

[Charles-Tim]

I saw information about this malware since 5th of March, but I did not go deeper to know that it can affect bitcoin wallets. This will always remind us that we should not trust online wallets like offline wallets.

Android devices also have their own vulnerabilities, which these hackers have used to target them—the ones that have been identified and reported and the ones we know about. My iOS should be 18+, which means I should be safe from the attack if the report is right, but I will still have to upgrade mine to iOS 26.3.

Why comparing both of them? Android, iOS, maxOS, Windows, Linux and other operating systems can not be trusted as long as you are using them online and not airgapped.

[hd49728]

Android devices also have their own vulnerabilities, which these hackers have used to target them—the ones that have been identified and reported and the ones we know about.

Is it off topic?
The topic is about Coruna on iOS and iPhone users, not about Android OS and Android users.

My iOS should be 18+, which means I should be safe from the attack if the report is right, but I will still have to upgrade mine to iOS 26.3.

When you use your iPhone to store cryptocurrencies, it's your hot wallet that should only be for small fund and hot wallets have higher risk to be exploited than cold wallets or airgap wallets.
Don't store big fund in hot wallets, not only with iPhone but any devices and any OS.

Coruna is only one of many threats that can compromise your iPhone and steal many information in it including your accounts, wallets, and your coins.
Like Ransomeware attacks or Clipboard hijacking attacks.
Cryptocurrency Security Checklist.