Google has uncovered a sophisticated exploitation framework known as Coruna that targets Apple iPhones and is being used to steal cryptocurrency from unsuspecting users.
The discovery was made by Google’s Threat Intelligence Group after investigators observed the toolkit operating in real-world phishing campaigns against iPhone users.
Security researchers reported that Coruna specifically targets Apple devices running iOS versions between 13.0 and 17.2.1 through carefully crafted malicious websites.
The toolkit contains advanced exploit chains designed to compromise devices once a victim visits a compromised webpage disguised as a legitimate cryptocurrency platform.
Investigators said attackers frequently lure users to fraudulent crypto trading or wallet websites that appear authentic to gain the victim’s trust.
Once the malicious site loads, a hidden JavaScript script automatically analyses the visitor’s device model and iOS version to determine which exploit chain should be deployed.
The exploit then runs silently in the background and allows attackers to gain access to sensitive information stored on the compromised device.
Researchers confirmed that the malware is capable of extracting cryptocurrency wallet recovery phrases, login credentials, passwords and other private information.
Attackers can use this information to access digital wallets and transfer cryptocurrency assets away from victims within seconds.
Analysts noted that most victims targeted in the campaign appear to be cryptocurrency holders who interact with digital asset platforms through mobile browsers.
The origin of the Coruna exploit kit remains uncertain, although investigators observed similarities with tools previously associated with sophisticated threat groups.
The toolkit has reportedly been detected on fraudulent Chinese cryptocurrency websites as well as phishing campaigns directed at Ukrainian users.
After the exploit was discovered, Google alerted Apple about the vulnerabilities being abused by the Coruna framework.
Apple subsequently released security updates designed to patch several of the weaknesses exploited by the malicious toolkit.
Despite the patches, researchers warn that devices running outdated versions of iOS remain vulnerable to these types of attacks.