Add Coruna/CryptoWaters indicators

2026-03-03_coruna_cryptowaters/README.md

@@ -0,0 +1,19 @@
+# Coruna / CryptoWaters Indicators of Compromise
+
+This repository contains network and device indicators of compromise (IoCs) related to the Coruna exploit kit, PLASMAGRID implant, and the CryptoWaters campaign targeting iOS devices and cryptocurrency wallet applications. These indicators were compiled from multiple reports including:
+
+* [Campaigns exploiting Signal, Line, and Google Chrome to target devices in multiple countries](https://blog.google/threat-analysis-group/campaigns-exploiting-signal-line-and-google-chrome/) by Google Threat Analysis Group (TAG)
+* [CryptoWaters: iVerify Discovers New iOS Threat Targeting Crypto Wallets](https://iverify.io/blog/cryptowaters) by iVerify
+
+The campaign has been attributed to two clusters tracked by Google TAG as UNC6353 and UNC6691. The Coruna exploit kit delivers a post-exploitation implant known as PLASMAGRID, which targets cryptocurrency wallet applications on iOS devices.
+
+The STIX2 file can be used with the [Mobile Verification Toolkit](https://github.com/mvt-project/mvt) to look for potential signs of compromise on iPhones.
+
+It includes the following files:
+
+* `coruna.stix2`: [STIX2](https://oasis-open.github.io/cti-documentation/stix/intro.html) file containing all indicators
+* `domains.txt`: list of PLASMAGRID C2 domains and Coruna exploit kit delivery domains
+* `sha256.txt`: SHA-256 hashes of the PLASMAGRID implant and its cryptocurrency wallet targeting modules
+* `file_paths.txt`: iOS filesystem paths for implant artifacts
+* `file_names.txt`: filenames associated with implant artifacts on iOS
+* `generate_stix.py`: script to regenerate the STIX2 file from the text indicator files

2026-03-03_coruna_cryptowaters/domains.txt

@@ -0,0 +1,177 @@
+snrysedijwbkwin.xyz
+uawwydy3qas6ykv.xyz
+92a3qke4at4fwmz.xyz
+wlf6n6bml3ng89q.xyz
+fxp34lig1xtahno.xyz
+vun5plmaxydremk.xyz
+8ejr7ea5jx13vbp.xyz
+fzz81wv0c5l60j6.xyz
+znjf3yk1x4yyht7.xyz
+2zaaali0ptn06q9.xyz
+hegjjypf3lzc3qn.xyz
+24e661zz9j4tcr7.xyz
+868qhkirb5l2n0i.xyz
+oqb2oaq7d1vtb4s.xyz
+pdzrz46tdskodhj.xyz
+a1ku2qvyyo09c9l.xyz
+l7coq3s7mosgetz.xyz
+erjthj4k3aqz04x.xyz
+are7nuagy9a68uf.xyz
+h1yvb0pd9gl9422.xyz
+xlvmfod3upi2ic5.xyz
+fbn98qo7hk35w0t.xyz
+e00l4axt0yf7m2k.xyz
+cphrz39s5qm4t1y.xyz
+3d4jp3f81m8fzh7.xyz
+nr48mjgvgcjgklc.xyz
+s6a7faijhiddeb8.xyz
+8kc3bu969yz7f9t.xyz
+642qipcdkhr8two.xyz
+5dr9adwy7i4ndkx.xyz
+aidm8it5hf1jmtj.xyz
+4ka4437sf5ns05x.xyz
+5h47uppyl1wplzj.xyz
+yva538ay3mz7008.xyz
+axs7x0ad629ggpf.xyz
+xr5n4fl9rt5lxsd.xyz
+ufli5en5arh9c7b.xyz
+n9cfcqvl0ihcn3a.xyz
+0zhlpgnh9op23uu.xyz
+0qx9g8ary2fzc5a.xyz
+tcqk4shuq6vosa2.xyz
+yve6eagcq7wcokf.xyz
+b96r89p5bnuwbc7.xyz
+oljxbg4phuv51ql.xyz
+2isrlfna7sc7lf8.xyz
+fdiw0xw1o9r6zk3.xyz
+fs7ag8pics8ra9n.xyz
+2hcsb7l539mxxc7.xyz
+fgr1w2gnsdvsb.xyz/x
+medobv5dkjl2bm0.xyz
+yoe31t9k75av6qp.xyz
+z2c4fbfnp1pm68b.xyz
+sm8qpfmv0ldodpj.xyz
+g18uw6zaiqeprj1.xyz
+dkuu0e7n5jsyakv.xyz
+74un9sf4iaidr9j.xyz
+qkcun3zog9k03gm.xyz
+q25b6rps0y8qe2f.xyz
+eebiov4uh9lk8i4.xyz
+lsnngjyu9x6vcg0.xyz
+vu28ylznt0izc3w.xyz
+abw3wzr59io82se.xyz
+pbp5j308edop478.xyz
+x6kcdjgagpl05z9.xyz
+57asjxkgrdwkirg.xyz
+alnjjsdbsgzza7y.xyz
+it7cp49qehrj85j.xyz
+9hl73l96udxp8dz.xyz
+cc0mvv7661lymjb.xyz
+shnqt4e97bc17l6.xyz
+jw732utrrcvqwbp.xyz
+c5t8kptatr57n7y.xyz
+6vmbk72t82wmbsu.xyz
+mxbc-v2.tjbjdod.cn
+2i93m6puuqrmbzu.xyz
+m5pfh9jwsj090e8.xyz
+amewkw0nfd11qpr.xyz
+ibrzwbxsn6rgyai.xyz
+kyaadeow5dldqu9.xyz
+0zsz6hq2adbfcgn.xyz
+k88q386znxmk4f3.xyz
+vizpwtdjlluhucu.xyz
+as75qetdi25wvgu.xyz
+bh6jnmi21q2qs7n.xyz
+dv51kcinorhi2aj.xyz
+ewllhwxz16atjlx.xyz
+noasu0d4szv6e0a.xyz
+pflfkewv5g23mag.xyz
+hmpfdh7p8n6i5zr.xyz
+14sy5i89hxoqvvz.xyz
+7w9mfrk9r6xrx6a.xyz
+1idhfxkoylkt49i.xyz
+xc824fji4wkhib2.xyz
+2d3zd2qa1i08756.xyz
+mvqpy8leaale0tx.xyz
+ccpqqe9rtz00s24.xyz
+nk3kuxai4q3hn7k.xyz
+uylbh9ab07zs0nr.xyz
+cwt92c4w1u0f70s.xyz
+ar2ojsx340jksmg.xyz
+gafa4z8n22l5z2d.xyz
+f0qxj4brxkcwtar.xyz
+3urschyiqwb7y7o.xyz
+cd6s6960b29iuzo.xyz
+dud1otgja7rnwan.xyz
+vvri8ocl4t3k8n6.xyz
+rlau616jc7a7f7i.xyz
+ol67el6pxg03ad7.xyz
+6zvjeulzaw5c0mv.xyz
+ztvnhmhm4zj95w3.xyz
+v2gmupm7o4zihc3.xyz
+pen0axt0u476duw.xyz
+hfteigt3kt0sf3z.xyz
+xfal48cf0ies7ew.xyz
+yvgy29glwf72qnl.xyz
+lk4x6x2ejxaw2br.xyz
+2s3b3rknfqtwwpo.xyz
+xjslbdt9jdijn15.xyz
+hui4tbh9uv9x4yi.xyz
+xittgveqaufogve.xyz
+xmmfrkq9oat1daq.xyz
+gdvynopz3pa0tik.xyz
+o08h5rhu2lu1x0q.xyz
+zcjdlb5ubkhy41u.xyz
+8fn4957c5g986jp.xyz
+sf2bisx5nhdkygn3l.xyz
+roy2tlop2u.xyz
+gqjs3ra34lyuvzb.xyz
+eg2bjo5x5r8yjb5.xyz
+b38w09ecdejfqsf.xyz
+cdn.uacounter.com
+ai-scorepredict.com
+m.pc6.com
+ddus17.com
+goodcryptocurrency.top
+pepeairdrop01.com
+668ddf.cc
+ios.teegrom.top
+i.binaner.com
+sj9ioz3a7y89cy7.xyz
+mkkku.com
+dbgopaxl.com
+tubeluck.com
+cryptocurrencyworld.top
+mjdqw.cn
+4u.game
+26a.online
+binancealliancesintro.com
+b27.icu
+h4k.icu
+seven7.vip
+y4w.icu
+7ff.online
+cy8.top
+7uspin.us
+seven7.to
+4kgame.us
+7p.game
+appstoreconn.com
+k96.icu
+7fun.icu
+n49.top
+98a.online
+spin7.icu
+t7c.icu
+lddx3z2d72aa8i6.xyz
+liquorfight.com
+goanalytics.xyz
+77bingos.com
+bingo777.now
+777bingos.xyz
+btrank.top
+dd9l7e6ghme8pbk.xyz
+fxrhcnfwxes90q.xyz
+kanav.blog
+3v5w1km5gv.xyz
+bestcryptocurrency.top

2026-03-03_coruna_cryptowaters/file_names.txt

@@ -0,0 +1,7 @@
+pl.core.lock
+.com.apple.mobileassetd.cache
+pl.sp.exec.guard.lock
+.com.apple.notes.cache.plist
+fsCachedData0E1A3DC1C51C2D879DE016E56D3EECE8
+blob_d6c1a21adb11f0ea023b9a35
+com.apple.photolibraryd.plist

2026-03-03_coruna_cryptowaters/file_paths.txt

@@ -0,0 +1,12 @@
+/private/var/tmp/pl.core.lock
+/private/var/tmp/relaunch
+/private/var/root/Library/Caches/com.apple.nsurlsessiond/fsCachedData0E1A3DC1C51C2D879DE016E56D3EECE8
+/private/var/root/Library/Caches/com.apple.WebKit.WebContent/blob_d6c1a21adb11f0ea023b9a35
+/private/var/mobile/Library/Caches/.com.apple.mobileassetd.cache
+/private/var/mobile/Library/Preferences/com.apple.photolibraryd.plist
+/private/var/mobile/Library/Caches/.com.apple.notes.cache.plist
+/private/var/tmp/upgrade.dylib
+/private/var/tmp/uninstall
+/private/var/tmp/stop
+/private/var/tmp/pl.sp.exec.guard.lock
+Library/Preferences/com.apple.photolibraryd.plist

2026-03-03_coruna_cryptowaters/generate_stix.py

@@ -0,0 +1,75 @@
+import sys
+import os
+from stix2.v21 import (Indicator, Malware, Relationship, Bundle)
+
+
+if __name__ == "__main__":
+    stix_name = "coruna.stix2"
+    if os.path.isfile(stix_name):
+        os.remove(stix_name)
+
+    with open("domains.txt") as f:
+        domains = list(set([a.strip() for a in f.read().split() if a.strip()]))
+
+    with open("sha256.txt") as f:
+        hashes = list(set([a.strip() for a in f.read().split() if a.strip()]))
+
+    with open("file_paths.txt") as f:
+        filepaths = list(set([a.strip() for a in f.read().splitlines() if a.strip()]))
+
+    with open("file_names.txt") as f:
+        filenames = list(set([a.strip() for a in f.read().splitlines() if a.strip()]))
+
+    res = []
+    malware = Malware(
+        name="Coruna",
+        is_family=False,
+        description="IOCs for the Coruna exploit kit, PLASMAGRID implant, "
+        "and CryptoWaters campaign targeting iOS devices and cryptocurrency "
+        "wallet apps. Attributed to UNC6353 and UNC6691."
+    )
+    res.append(malware)
+
+    for d in domains:
+        i = Indicator(
+            indicator_types=["malicious-activity"],
+            pattern="[domain-name:value='{}']".format(d),
+            pattern_type="stix"
+        )
+        res.append(i)
+        res.append(Relationship(i, 'indicates', malware))
+
+    for h in hashes:
+        i = Indicator(
+            indicator_types=["malicious-activity"],
+            pattern="[file:hashes.'SHA-256'='{}']".format(h),
+            pattern_type="stix"
+        )
+        res.append(i)
+        res.append(Relationship(i, 'indicates', malware))
+
+    for fp in filepaths:
+        i = Indicator(
+            indicator_types=["malicious-activity"],
+            pattern="[file:path='{}']".format(fp),
+            pattern_type="stix"
+        )
+        res.append(i)
+        res.append(Relationship(i, 'indicates', malware))
+
+    for fn in filenames:
+        i = Indicator(
+            indicator_types=["malicious-activity"],
+            pattern="[file:name='{}']".format(fn),
+            pattern_type="stix"
+        )
+        res.append(i)
+        res.append(Relationship(i, 'indicates', malware))
+
+    bundle = Bundle(objects=res)
+    with open(stix_name, "w+") as f:
+        f.write(bundle.serialize(indent=4))
+    print("{} file created with {} indicators".format(
+        stix_name,
+        len(domains) + len(hashes) + len(filepaths) + len(filenames)
+    ))

2026-03-03_coruna_cryptowaters/indicators_yaml_entry.txt

@@ -0,0 +1,14 @@
+  -
+    type: github
+    name: Coruna / CryptoWaters Indicators of Compromise
+    sources:
+      - Google
+      - iVerify
+    references:
+      - https://blog.google/threat-analysis-group/campaigns-exploiting-signal-line-and-google-chrome/
+      - https://iverify.io/blog/cryptowaters
+    github:
+      owner: mvt-project
+      repo: mvt-indicators
+      branch: main
+      path: coruna_cryptowaters/coruna.stix2

2026-03-03_coruna_cryptowaters/sha256.txt

@@ -0,0 +1,20 @@
+2a9d21ca07244932939c6c58699448f2147992c1f49cd3bc7d067bd92cb54f3a
+18394fcc096344e0730e49a0098970b1c53c137f679cff5c7ff8902e651cd8a3
+6eafd742f58db21fbaf5fd7636e6653446df04b4a5c9bca9104e5dfad34f547c
+42cc02cecd65f22a3658354c5a5efa6a6ec3d716c7fbbcd12df1d1b077d2591b
+0dff17e3aa12c4928273c70a2e0a6fff25d3e43c0d1b71056abad34a22b03495
+05b5e4070b3b8a130b12ea96c5526b4615fcae121bb802b1a10c3a7a70f39901
+10bd8f2f8bb9595664bb9160fbc4136f1d796cb5705c551f7ab8b9b1e658085c
+91d44c1f62fd863556aac0190cbef3b46abc4cbe880f80c580a1d258f0484c30
+721b46b43b7084b98e51ab00606f08a6ccd30b23bef5e542088f0b5706a8f780
+25a9b004cf61fb251c8d4024a8c7383a86cb30f60aa7d59ca53ce9460fcfb7de
+be28b40df919d3fa87ed49e51135a719bd0616c9ac346ea5f20095cb78031ed9
+3c297829353778857edfeaed3ceeeca1bf8b60534f1979f7d442a0b03c56e541
+499f6b1e012d9bc947eea8e23635dfe6464cd7c9d99eb11d5874bd7b613297b1
+d517c3868c5e7808202f53fa78d827a308d94500ae9051db0a62e11f7852e802
+4dfcf5a71e5a8f27f748ac7fd7760dec0099ce338722215b4a5862b60c5b2bfd
+d371e3bed18ee355438b166bbf3bdaf2e7c6a3af8931181b9649020553b07e7a
+023e5fb71923cfa2088b9a48ad8566ff7ac92a99630add0629a5edf4679888de
+f218068ea943a511b230f2a99991f6d1fbc2ac0aec7c796b261e2a26744929ac
+1fb9dedf1de81d387eff4bd5e747f730dd03c440157a66f20fdb5e95f64318c0
+4dc255504a6c3ea8714ccdc95cc04138dc6c92130887274c8582b4a96ebab4a8