Israel-based Spyware Company QuaDream has Reportedly Utilized a Zero-Click Exploit to Target High-Risk iPhones.

Research conducted by the Citizen Lab has revealed that a campaign of spyware, deployed by an Israeli surveillanceware vendor named QuaDream, targeted at least five members of civil society in North America, Central Asia, Southeast Asia, Europe, and the Middle East in 2021. The identities of the victims have not been disclosed. It is believed that the company employed a zero-click exploit, known as ENDOFDAYS, in iOS 14 to deploy the spyware as a zero-day in version 14.4 and 14.4.2. There is no evidence that the exploit has been utilized after November 2021.

The researchers have stated that ENDOFDAYS appears to make use of invisible iCloud calendar invitations sent from the spyware’s operator to victims, with .ics files containing invites to two backdated and overlapping events in order to avoid alerting the users. It is suspected that the attacks have taken advantage of a peculiarity in iOS 14 whereby any iCloud calendar invitation with a backdated time received by the phone is automatically processed and added to the users’ calendar without any notification or prompt.

The Microsoft Threat Intelligence team has designated QuaDream as DEV-0196, categorizing it as a Private Sector Offensive Actor (PSOA). With high confidence, the tech giant has determined that the cyber mercenary company is not directly engaged in targeting, but instead is known to offer its “exploitation services and malware” to government customers.

The malware, dubbed KingsPawn, comprises two Mach-O files written in Objective-C and Go, respectively. The monitor agent is designed to reduce the forensic footprint of the malware, thus helping it to evade detection, while the main agent has the capability to acquire device information, cellular and Wi-Fi data, harvest files, access the camera in the background, access location, call logs, and iOS Keychain, and even generate an iCloud time-based one-time password (TOTP).

Research conducted by the Citizen Lab has revealed that QuaDream’s customers operated 600 servers from various countries between late 2021 and early 2023. These servers supported the recording of audio from phone calls and the microphone, running queries in SQL databases, and cleaning up forensic trails, such as deleting all calendar events from two years prior to the current time. The data was exfiltrated via HTTPS POST requests. Furthermore, the interdisciplinary laboratory was able to uncover unspecified traces of what it calls the “Ectoplasm Factor” that could be used to track QuaDream’s toolset in the future.

It is worth noting that this is not the first time QuaDream has attracted attention. In February 2022, Reuters reported that the company weaponized the FORCEDENTRY zero-click exploit in iMessage to deploy a spyware solution named REIGN. Additionally, in December 2022, Meta disclosed that it took down a network of 250 fake accounts on Facebook and Instagram controlled by QuaDream to infect Android and iOS devices and exfiltrate personal data.

Apple informed The Hacker News that it is continually striving to enhance the security of iOS. Furthermore, the company declared that there is no indication that the exploit has been utilized since the release of iOS 14.4.2 in March 2021.

This development serves as yet another indication that, despite the notoriety garnered by NSO Group, commercial spyware firms persist in flying under the radar and creating sophisticated spyware products for use by government clients.

“Unless the unrestrained proliferation of commercial spyware is adequately addressed through systematic government regulations, the number of abuse cases is likely to keep on increasing, powered both by companies with well-known names, as well as those still operating in the shadows,” the Citizen Lab stated.

Microsoft referred to the growth of mercenary spyware companies as a threat to democracy and human rights and emphasized that countering such offensive actors necessitates a “collective effort” and a “multistakeholder collaboration.”

“It is only a matter of time before the use of the tools and technologies they sell spreads even further,” Amy Hogan-Burney, the company’s associate general counsel for cybersecurity policy and protection, declared. “This poses real risk to human rights online, but also to the security and stability of the broader online environment. The services they offer necessitate cyber mercenaries to accumulate vulnerabilities and search for new methods to access networks without authorization.”

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir