Israeli spyware QuaDream Targets High-Risk iPhones with Zero click Exploit

Israeli spyware QuaDream Targets High-Risk iPhones with Zero click Exploit

At least five members of civil society in North America, Central Asia, Southeast Asia, Europe, and the Middle East were targeted by threat actors employing hacking tools from an Israeli surveillance ware company called QuaDream.

The malware campaign in 2021 was targeted at journalists, members of the political opposition, and an employee of an NGO.

Additionally, it’s believed that the business utilized the zero-click vulnerability known as ENDOFDAYS in iOS 14 to introduce malware as a zero-day in versions 14.4 and 14.4.2. No proof exists that the exploit was exploited beyond March 2021.

The researchers claimed that ENDOFDAYS “appears to use invisible iCloud calendar invitations sent from the spyware’s operator to victims.”

Israeli spyware QuaDream Targets High-Risk iPhones with Zero click Exploit
Israeli spyware QuaDream Targets High-Risk iPhones with Zero click Exploit

QuaDream is being monitored by the Microsoft Threat Intelligence team under the identifier DEV-0196, which classifies the cyber mercenary business as a PSOA (private sector offensive actor).

The malware, KingsPawn, has both the monitor agent and the primary malware agent, both of which are Mach-O files created in Objective-C and Go, respectively.

The primary agent has access to the device’s settings, cellular and Wi-Fi data, harvested files, background camera access, location, call logs, iOS Keychain, and even the ability to create an iCloud time-based one-time password (TOTP).

According to Internet scans conducted by Citizen Lab, QuaDream’s clients ran 600 servers from a variety of nations between late 2021 and early 2023, including Bulgaria, the Czech Republic, Hungary, Romania, Ghana, Israel, Mexico, Singapore, the United Arab Emirates, and Uzbekistan.

The media has taken notice of QuaDream before. According to a Reuters article from February 2022, the business used the iMessage FORCEDENTRY zero-click attack to deliver the malware program REIGN.

Then, in December 2022, Meta revealed that it had shut down a network of 250 phoney accounts on Facebook and Instagram that QuaDream had been using to infect Android and iOS devices and steal personal information.

See more: Linux Servers Targeted in Color1337 Cryptojacking Campaign

The number of abuse cases is likely to keep increasing, supported by both companies with well-known names and others still operating in the shadows, according to the Citizen Lab, “until the out-of-control proliferation of commercial spyware is successfully curtailed through systemic government regulations.”

Microsoft claimed that the rise of mercenary spyware firms poses a threat to democracy and human rights and that stopping such hostile actors calls for a “collective effort” and “multistakeholder collaboration.”

Amy Hogan-Burney, the company’s assistant general counsel for cybersecurity policy and protection, added that it is only a matter of time before more people start using the tools and services they sell.

See more: Hackers Hide Backdoors beneath Harmful Self-Extracting Archives

The security and stability of the larger online environment are also seriously jeopardized by this, in addition to online human rights. Cyber mercenaries must gather vulnerabilities and look for fresh methods of gaining unauthorized access to networks in order to provide the services they offer.


Author: Sanghamitra Sethy

We hope you found article interesting. For more exclusive content follow us on FacebookTwitter and LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *