Ethical Hacking News
In this article, we delve into the details of the Coruna exploit kit, a malicious tool designed specifically for exploiting vulnerabilities in Apple's iOS operating system. With its unique features and capabilities, this tool poses a significant threat to user security, particularly those running vulnerable versions of iOS.
Discover how the Coruna exploit kit works, its components, and its potential use cases, including cryptocurrency theft and sensitive information exfiltration.
Read on for an in-depth look at this sophisticated exploitation tool and its implications for user security.
The Coruna exploit kit is a malicious software designed for exploiting vulnerabilities in Apple's iOS operating system. The tool uses advanced encryption methods, including ChaCha20 algorithm, to protect its binary payloads from detection. The core technical value of the Coruna kit lies in its comprehensive collection of iOS exploits covering versions from iOS 13 to iOS 17.2.1. The most advanced exploits use non-public exploitation techniques and mitigation bypasses, making them particularly concerning for security researchers. The payload can decode QR codes from images on disk, analyze blobs of text for specific keywords, and collect additional modules remotely. Research has uncovered the Coruna exploit kit's potential use cases, including cryptocurrency theft and sensitive information exfiltration.
The cybersecurity landscape continues to evolve, with new and sophisticated tools emerging to compromise user security. One such tool that has garnered significant attention is the Coruna exploit kit, a malicious software designed specifically for exploiting vulnerabilities in Apple's iOS operating system.
According to recent research, the Coruna exploit kit is a collection of exploits that can be used to gain unauthorized access to an iPhone or iPad running a vulnerable version of iOS. The tool uses a unique and hard-coded cookie, referred to as a "plasma grid" ID, to generate resource URLs for its various components.
One of the most notable features of the Coruna exploit kit is its use of advanced encryption methods, including the ChaCha20 algorithm, to protect its binary payloads from detection. The tool also employs a custom file format starting with the hexadecimal value 0xf00dbeef as its header, making it difficult for security software to identify.
The core technical value of the Coruna exploit kit lies in its comprehensive collection of iOS exploits, which cover versions from iOS 13 to iOS 17.2.1. The tool includes various modules designed to bypass different mitigations and exploitation techniques, including PAC (Platform Address Space Layout) bypasses and sandbox escape mechanisms.
The most advanced exploits in the Coruna kit use non-public exploitation techniques and mitigation bypasses, making them particularly concerning for security researchers. One such exploit, codenamed "bluebird," targets iOS 15.6 and later versions, while another, dubbed "cassowary," targets iOS 16.6 and later.
In addition to its exploits, the Coruna kit also contains a binary loader, known as IronLoader and NeuronLoader, which facilitates communication with the kernel component established by the exploit. The injected payload can decode QR codes from images on disk, analyze blobs of text for specific keywords, and collect additional modules remotely.
The payload's configuration is retrieved from a hardcoded URL and encoded in JSON format, containing a list of module names with their respective URLs, hashes, and sizes. This configuration is compressed as a 7-ZIP archive protected by a unique hard-coded password.
Research into the Coruna exploit kit has also uncovered its potential use cases, including cryptocurrency theft and sensitive information exfiltration. Most identified modules exhibit a uniform design, placing function hooks for the purpose of exfiltrating cryptocurrency wallets or sensitive information from various applications.
The researchers have mapped out the modules' functionality, which include:
* com.bitkeep.os: exfiltrating cryptocurrency wallets
* com.bitpie.wallet: exfiltrating cryptocurrency wallets
* coin98.crypto.finance.insights: exfiltrating cryptocurrency wallets
* org.toshi.distribution: exfiltrating sensitive information
* exodus-movement.exodus: exfiltrating sensitive information
* im.token.app: exfiltrating cryptocurrency wallets
* com.kyrd.krystal.ios: exfiltrating cryptocurrency wallets
* io.metamask.MetaMask: exfiltrating cryptocurrency wallets
* org.mytonwallet.app: exfiltrating cryptocurrency wallets
* app.phantom: exfiltrating cryptocurrency wallets
* com.skymavis.Genesis: exfiltrating cryptocurrency wallets
* com.solflare.mobile: exfiltrating cryptocurrency wallets
* com.global.wallet.ios: exfiltrating cryptocurrency wallets
* com.tonhub.app: exfiltrating sensitive information
* com.jbig.tonkeeper: exfiltrating sensitive information
* com.tronlink.hdwallet: exfiltrating cryptocurrency wallets
The Coruna exploit kit is a concerning development in the world of cybersecurity, highlighting the ongoing threat of sophisticated exploitation tools designed to compromise user security.
Related Information:
https://www.ethicalhackingnews.com/articles/Unveiling-the-Coruna-Exploit-Kit-A-Comprehensive-Look-at-the-Latest-iOS-Exploitation-Tool-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit/
https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit
https://github.com/topics/ios-hacking
Published: Tue Mar 3 09:43:39 2026 by llama3.2 3B Q4_K_M
