Coruna: the modular evolution of Triangulation that points to iOS 17.2

It has long since exploded kits have ceased to be mere test tools to become sophisticated attack platforms. A recent example is the so-called Coruna framework, which according to the analysis of Kaspersky researchers represents a continuity and modernization of the set of tools used in the espionage campaign known as Operation Triangulation. This campaign, discovered in 2023, gained notoriety for the use of "zero-click" exploits on iMessage that allowed to compromise iPhone without user interaction; Coruna takes that base and takes it to the next generation of hardware and iOS versions. More technical details and evidence of the link can be found in Kaspersky's report published by his team GReAT.

From a technical point of view, Coruna is not an isolated explosion, but a modular kit: it includes five complete operating chains for iOS that take advantage, together, of 23 known and so far private vulnerabilities. Among these failures are those identified as CVE-2023-32434 and CVE-2023-38606, two of which were already part of the Triangulation repertoire. Kaspersky's analysis work showed that part of the exploitative code used against these vulnerabilities is a revised and maintained version of the original explosion, suggesting a sustained evolution of the same project from years ago.

Coruna has been expanded to recognize and attack modern architectures: the binaries include explicit checks for chips such as the A17 family M3(M3, M3 Pro and M3 Max), and they support executions in ARM64 and ARM64E. As for operating systems, the checks and conditioners in the package allow the kit to select exploits and chargers suitable for devices with iOS versions covering up to iOS 17.2, and even for previous beta building. This combination of hardware and software support makes Coruna a threat that can affect from relatively old teams to the latest Apple models.

The infection process described by the researchers begins in the Safari browser through a small "manager" that collects information from the device - which in safety is called fingerprinting - to determine which execution routes (CERs) and avoidance techniques are applicable. From that decision, the attacker recovers encrypted metadata that guide the following stages. The malicious package downloads additional components protected cryptographically, which are then decipher (the analyses talk about the use of ChaCha20), uncompressed (LZMA) and unpacked by custom containers until you get the final executable elements: the relevant kernel blast, a Mach-O charger and the launcher that unfolds the implant.

This modular approach allows the kit to dynamically choose the exact explosion according to the architecture and iOS version of the target, which increases the success rate and the persistence of the attack. In addition, Kaspersky's analysis highlights that the code shows continuity with Triangulation beyond the mere re-use of failures: there are development traces and continuous tests that point to a team or actor that has maintained and updated the framework over time.

What is disturbing is the diversification of uses: what began as a highly targeted espionage tool now also appears in campaigns with economic motivation, for example to steal cryptomonedas through fraudulent exchange pages that imitate legitimate platforms. This shift of target illustrates a worrying trend: tools initially reserved for actors with resources are now used, or at least adapted, by groups for purely criminal purposes. In parallel, other platforms such as the DarkSword kit have been recently disseminated and are in circulation among multiple actors, which further increases the risk for devices that are not up to date.

In view of this picture the first line of defense is clear: keep the devices with the security updates applied. Apple has published a newsletter with patches that correct the newly described vulnerabilities; it is recommended that all users and administrators install these updates as soon as possible. The official Apple note is available on your support page. on the safety content.

In addition to updating, it is appropriate to adopt simple but effective practices: not opening suspicious links or pages, distrust of sites that mimic financial services, activate automatic updates and use additional protection mechanisms for sensitive assets, such as the authentication of multiple factors and, in the case of cryptomonedas, cold portfolios (hardware wallets). Companies and public authorities should follow the security guides and notices of their suppliers and cybersecurity agencies to assess exposure and mitigate risks.

Coruna's history recalls a recurring pattern in cybersecurity: exploits and platforms developed for directed operations can eventually become much more accessible and dangerous tools when updated, redistributed or replicated. The conclusion is both technical and practical: prevention and digital hygiene remain the most effective barrier against threats that evolve as fast as the chips and systems that they seek to violate.

For those who want to deepen the subject, in addition to Kaspersky's report, there is coverage and analysis in specialized media that expand the technical context and implications for users and organizations; a useful starting point is the journalistic chronicle about the recent use of Coruna in theft of cryptoactive in BleepingComputer and to keep up with warnings and guidelines from authorities, the website of the CISA provides relevant resources and warnings.