QuaDream, an Israeli surveillanceware vendor, has reportedly targeted at least five members of civil society in North America, Central Asia, Southeast Asia, Europe, and the Middle East with its hacking tools. According to researchers from the Citizen Lab, the spyware campaign focused on journalists, political opposition figures, and an NGO worker in 2021. The victims’ names were not disclosed.
Zero-click exploit: ENDOFDAYS
It is also suspected that the company exploited a zero-click vulnerability called ENDOFDAYS in iOS 14 to deploy its spyware. This zero-day was effective in versions 14.4 and 14.4.2, with no evidence of use after March 2021. ENDOFDAYS allegedly involves invisible iCloud calendar invitations sent from the spyware operator to victims. The .ics files within these invitations contain two backdated and overlapping events, ensuring users aren’t alerted.
The attacks are believed to have exploited a flaw in iOS 14, where any backdated iCloud calendar invitation is automatically processed and added to the user’s calendar without any notification or prompt.
Microsoft’s Threat Intelligence team is tracking QuaDream as DEV-0196, identifying it as a private sector offensive actor (PSOA). While the company is not directly involved in targeting, it is known to sell its “exploitation services and malware” to government customers.
Malware capabilities: KingsPawn
KingsPawn, the malware in these attacks, has two components: a monitor agent and a primary malware agent. These are Mach-O files written in Objective-C and Go, respectively. The monitor agent’s purpose is to minimize the malware’s forensic footprint and evade detection.
Meanwhile, the primary malware agent boasts a range of capabilities. It can gather device information, cellular and Wi-Fi data, and access the camera and location. Additionally, it can access call logs, iOS Keychain, and generate an iCloud time-based one-time password (TOTP).
Further samples demonstrate support for recording audio from phone calls and the microphone, running queries in SQL databases, and erasing forensic trails, such as deleting calendar events from two years before the current time. The data is exfiltrated via HTTPS POST requests.
Citizen Lab’s internet scans reveal that QuaDream’s customers operated 600 servers worldwide between late 2021 and early 2023. Even though the spyware tries to hide its traces, the lab managed to find unspecified evidence called the “Ectoplasm Factor.” This discovery could help track QuaDream’s toolset in the future.
Commercial spyware firms remain a threat
QuaDream’s history of attention includes weaponizing the FORCEDENTRY zero-click exploit in iMessage to deploy a spyware solution named REIGN and controlling a network of 250 fake Facebook and Instagram accounts to infect Android and iOS devices and exfiltrate personal data. This situation highlights that despite the notoriety attracted by NSO Group, commercial spyware firms continue to develop sophisticated spyware products for government clients.
The Citizen Lab calls for systemic government regulations to curb the out-of-control proliferation of commercial spyware. Microsoft highlights the need for collective action and collaboration among multiple stakeholders to fight against these offensive actors. Their services present significant risks to human rights, online security, and overall internet stability.
{{user}} {{datetime}}
{{text}}