Urgent iPhone Alert: New 'Coruna' Exploit Kit Targets Crypto Holders
Google's Threat Intelligence Group (GTIG) has issued a critical warning to iPhone users, particularly those engaged with cryptocurrencies. A sophisticated new iOS exploit kit, dubbed "Coruna," has been discovered actively targeting Apple devices, capable of silently compromising iPhones to steal sensitive financial and crypto wallet data. This alarming development underscores the escalating risks in the digital asset space.
The Coruna Exploit: A Highly Potent Threat
The Coruna exploit kit operates by luring iPhone users to fake finance and cryptocurrency websites. Once a vulnerable device visits these deceptive pages, the kit silently deploys its advanced attack chain. GTIG's analysis reveals Coruna bundles five full exploit chains and 23 individual exploits, targeting iOS versions ranging from 13.0 up to 17.2.1. This elaborate setup allows it to fingerprint devices and then inject a hidden iframe, triggering a WebKit remote code execution (RCE) exploit alongside a Pointer Authentication Code (PAC) bypass. One notable WebKit RCE component has been tied to CVE-2024-23222, which Apple addressed in iOS 17.3 released in January 2024. The threat actor, identified as UNC6691, is financially motivated, tracing its evolution from commercial surveillance use to broad-scale scam distribution via Chinese-language platforms. The ultimate objective of Coruna is data exfiltration, focusing heavily on valuable financial information. Once a device is compromised, a payload known as "PlasmaLoader" (tracked as PLASMAGRID) is deployed. This payload is adept at decoding QR codes from stored images, scanning text for BIP39 seed phrase sequences, and extracting keywords like "backup phrase" and "bank account" from apps like Apple Memos. Crucially, it targets popular crypto wallet applications such as MetaMask, Trust Wallet, Uniswap's wallet, Phantom, Exodus, and various TON ecosystem wallets including Tonkeeper, aiming to harvest seed phrases and other critical wallet data.
Immediate Action for Protecting Your Digital Assets
Given the severe nature of the Coruna exploit, Google strongly urges all iPhone users to update their iOS to the latest version immediately. For those unable to update, enabling Apple's Lockdown Mode is a recommended interim measure to enhance device security. To mitigate further exposure, GTIG has proactively added all identified malicious websites and domains associated with Coruna to Google Safe Browsing, providing an additional layer of protection for users. This incident highlights the unique vulnerability of mobile cryptocurrency users. Mobile wallets, holding high-value assets and operating within a high-frequency web traffic environment, are prime targets for "visit-to-compromise" campaigns like Coruna. The sophistication of this exploit kit demonstrates that simply being directed to a booby-trapped page is often enough to initiate a dangerous chain of events. As the cryptocurrency market continues its dynamic movements, with the total crypto market cap currently standing at $2.45 trillion, vigilance and proactive security measures remain paramount for all digital asset holders.
