iPhones targeted by 'new and powerful' malware - and "Coruna" may have been developed by the US government

News
By published

Coruna may have been developed by the US government

A US flag with a large green eye peering through the red and white stripes of the flag.
(Image credit: Shutterstock)
  • Google researchers discover highly complex exploit kit, dubbed 'Coruna'
  • The kit was deployed by a surveillance software customer, before being used by Russian and Chinese threat actors
  • Documentation from the kit shows evidence of being developed by the US government

A highly complex exploit kit targeting iPhones has been discovered by Google Threat Intelligence Group (GTIG) researchers, which contains non-public exploitations and bypasses.

The kit, tracked as “Coruna”, was initially used in targeted attacks by a customer of an unnamed surveillance company, before also popping up in use by Russian and Chinese threat actors before the full kit could be retrieved by GTIG.

Further research by the iVerify team into the sources of the exploits contained within the kit has indicated that the kit may have been developed as a US government framework.

iPhone exploit kit developed by US government

The Coruna exploit kit is not like any regular malware developed by a common or garden hacker.

The complexity of the kit, which contains 23 exploits that work in various configurations to form five full exploit chains, signifies that the kit was assembled by a nation-state. The exploit kit is also unique in that it works to compromise devices en masse, rather than the surgical target-specific nature of spyware developed by surveillance companies, with iVerify dubbing Coruna as the “first known mass iOS attack.”

The full exploit kit was retrieved by Google after a Chinese threat actor deployed the kit for use on several gambling and cryptocurrency sites. However, when analyzed by iVerify, the exploit kit contained extensive documentation written in native English. The highly organized nature of the kit’s framework also shared similarities to frameworks developed by the US government.

The final payload of the exploit kit retrieved from the Chinese threat actors was designed to access and retrieve financial information such as crypto wallets, as well as media files and sensitive personal information.

iVerify further notes that Coruna has followed a similar trajectory to spyware and exploits developed by surveillance vendors that are then sold to governments. The exploits are are deployed in the wild by the end user, such as a government agency, where they can be picked up and stolen by other threat actors and deployed.

The most notable example of this being the EternalBlue exploit software, which utilized a zero-day exploit to compromise Microsoft devices. EternalBlue was actively used by the US National Security Agency (NSA) for several years, with Microsoft only being notified of the zero-day after EternalBlue was stolen.

The iVerify team added that, “Brokers can’t be trusted with these capabilities and business to business transactions over the spyware market are highly unregulated.” The Pall Mall Process - an international framework developed to address the irresponsible development and sale of spyware and surveillance software - was specifically designed to prevent the exact situation that occurred with EternalBlue, and may have occurred with the Coruna kit.

How to stay protected

The Coruna kit uses exploits deployed against iPhones running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). By upgrading to the latest iOS version, your device will be protected against all the exploits used in the Coruna kit.

Users who are unable to upgrade their device to the latest iOS version should place their iPhone in Lockdown Mode. To do this, take the following steps:

  1. Go to Settings, then Privacy and Security
  2. Scroll down and tap Lockdown Mode
  3. Tap Turn On Lockdown Mode

Users who believe their device may have been infected should consult the GTIG indicators of compromise, and iVerify’s ‘How to get rid of it’ section.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

TOPICS
Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict has been with TechRadar Pro for over two years, and has specialized in writing about cybersecurity, threat intelligence, and B2B security solutions. His coverage explores the critical areas of national security, including state-sponsored threat actors, APT groups, critical infrastructure, and social engineering.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the Centre for Security and Intelligence Studies at the University of Buckingham, providing him with a strong academic foundation for his reporting on geopolitics, threat intelligence, and cyber-warfare.

Prior to his postgraduate studies, Benedict earned a BA in Politics with Journalism, providing him with the skills to translate complex political and security issues into comprehensible copy.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.