CryptoWaters

The framework is designed to fingerprint the device to determine if it's real and gather details, including the specific iPhone model and iOS software version it is running.

"Phase 1: target fingerprinting... checks the User-Agent... distinguishes iOS from macOS... IndexedDB Blob insertion test... WebAssembly memory oracle... iOS version extracted... exploit paths selected"

GTIG tracked the use of the exploit in highly targeted attacks by a surveillance vendor’s customer, in Ukrainian watering hole campaigns by UNC6353, and later in broad-scale attacks by Chinese financial threat actor UNC6691

The Coruna exploit kit, also called CryptoWaters, targets iOS 13.0 through 17.2.1 and includes 23 separate exploits and five exploit chains, affecting Web content, WebKit, and system protections like PAC and PPL.

"Compromised third-party scripts... A supply chain compromise of any one of them... could have turned every site using that script into a Coruna delivery node... Ad networks... a single malicious creative served through a programmatic ad network"

It uses a custom JavaScript framework and loaders to deliver tailored exploits.

The Coruna exploit chain starts with a Safari-based stager that identifies the target device and selects suitable exploits based on browser version.

"Many of these sites explicitly instruct users to visit from a mobile device for a 'better experience,' a social engineering nudge"

"heap spraying with 16-element arrays... allocates 40 MB... fills JIT memory with predictable patterns using a JIT spray of repeated x += 1 statements"

Researchers analyzed five kernel exploits in Coruna and found one is an updated version of the exploit used in Operation Triangulation.

The exploit chain goes through six stages ... Escape the Safari browser sandbox ...

"Phase 3: defeating ASLR via dyld shared cache scanning... locates WebCore... reads __TEXT segment headers... determine their load addresses"

Its final payload PlasmaLoader targets banking data, cryptocurrency wallets, and other sensitive information, using encrypted communications and a custom domain generation algorithm seeded with "lazarus."

"heap spraying with 16-element arrays... allocates 40 MB... fills JIT memory with predictable patterns using a JIT spray of repeated x += 1 statements"

It removes traces of the attack, selects a target process, injects a stager, and executes it to deploy the final malware.

The payload then decrypts and processes multiple layers of data using ChaCha20 and LZMA compression, revealing structured containers that store files and instructions.

"Anti-analysis checks... aborts if Lockdown Mode is detected... skips execution in private browsing... verifies a real WebKit rendering engine... checks for RTCPeerConnection... reports... 1003 means a sandbox was detected"

The launcher handles post-exploitation tasks. Instead of re-running the exploit, it reuses existing kernel access created earlier to read and write memory. It removes traces of the attack, selects a target process, injects a stager, and executes it to deploy the final malware.

“The framework uses fingerprinting to detect device type and iOS version, then loads the appropriate WebKit RCE exploit...”

"Anti-analysis checks... aborts if Lockdown Mode is detected... skips execution in private browsing... verifies a real WebKit rendering engine... checks for RTCPeerConnection... reports... 1003 means a sandbox was detected"

Its final payload PlasmaLoader targets banking data, cryptocurrency wallets, and other sensitive information

"reports the outcome to the C2 via a GET request to <base_url>?e=<code>"

UNC6691 has been observed weaponizing the exploit to deliver a stager binary codenamed PlasmaLoader (aka PLASMAGRID) that's designed to decode QR codes from images and run additional modules retrieved from an external server.

Its final payload PlasmaLoader targets banking data, cryptocurrency wallets, and other sensitive information, using encrypted communications and a custom domain generation algorithm seeded with "lazarus."

"The C2 domains (the 27 DGA-generated .xyz domains)... short-lived, algorithmically generated fallback domains"

“...If such text is found in Apple Memos it will be sent back to the C2.”