Microsoft and Citizen Lab on Tuesday released information on the activities, products and victims of an Israel-based spyware vendor named QuaDream.
QuaDream has been making an effort to keep a low profile, but its activities came to light last year, when Reuters described it as a competitor of the notorious Israeli company NSO Group, which is known for its Pegasus spyware.
QuaDream’s activities were also described last year by Meta, which reported taking down 250 accounts associated with the firm, which the social media giant said was founded by former NSO employees.
QuaDream has developed an exploitation platform named Reign, which has been offered to government organizations for law enforcement activities. Commercial spyware vendors typically advertise their solutions for such purposes, but investigations often reveal cases of abuse, with governments using spyware against their opponents.
The Reign platform includes malware, exploits and infrastructure that can be used to steal data from compromised Android and iOS mobile devices.
One distributor of this platform was a Cyprus-based company named InReach, which is currently in a legal dispute with QuaDream over its alleged refusal to transfer part of its revenue to the Israeli firm, as agreed upon.
This lawsuit has provided some insight into the spyware vendor’s business practices and Citizen Lab has made public some information on several individuals that appear to be involved with QuaDream and InReach.
Microsoft, which tracks QuaDream as DEV-0196, has published a blog post focusing on the analysis of the iOS malware — named KingsPawn by the tech giant — that is likely delivered as part of the Reign platform.
The version of the malware analyzed by Microsoft targeted iPhones running iOS 14, with evidence suggesting that some of the code may have been used for Android exploits as well. At the time of the attacks targeting iOS 14, this was the latest version of the operating system.
Apple was informed about these exploits in 2021 and the company reportedly notified targeted individuals at the time. Reuters reported that QuaDream leveraged the same iOS vulnerabilities that NSO Group used for its ForcedEntry exploit.
The exploits that were designed for iOS 14 no longer work on the newer versions of the mobile operating system, but Microsoft believes the threat actor has likely updated its malware to be able to hack newer iPhones as well. Apple regularly patches zero-day flaws exploited by commercial spyware vendors.
The malware has likely been delivered through a zero-click exploit named EndOfDays, which seemingly uses invisible iCloud calendar invitations sent by the attacker to victims for delivery.
Once it has been deployed on a device, the KingsPawn iOS malware can record audio from calls or the device’s microphone, take pictures using the camera, exfiltrate and remove keychain items, generate iCloud 2FA passwords, track location, search files and databases on the device, and clean up its tracks.
Both Microsoft and Citizen Lab have shared indicators of compromise (IoCs) that can be used to detect the presence of QuaDream spyware.
Citizen Lab’s investigation led to the identification of five unnamed victims located in North America, Europe, the Middle East, and Central and Southeast Asia. Victims include politicians, journalists, and one NGO worker.
An internet scan revealed the existence of 600 QuaDream servers, including ones used to store data exfiltrated from victims and servers used for one-click browser exploits. Citizen Lab believes QuaDream servers are operated from countries such as Israel, UAE, Uzbekistan, Singapore, Hungary, Czech Republic, Romania, Bulgaria, Mexico, and Ghana.
“Hungary, Mexico, and the United Arab Emirates are known to abuse spyware to target human rights defenders (HRDs), journalists, and other members of civil society,” Citizen Lab noted.
“We cannot determine if the systems operated from Israel are operated by the Israeli government or QuaDream itself. Nevertheless, the Israeli government is also suspected to have abused mercenary spyware to target Palestinian HRDs, as well as domestic political activists,” it added.
Related: Google Links Exploitation Frameworks to Spanish Spyware Vendor Variston
Related: Google Blocks Domains of Hack-for-Hire Groups in Russia, India, UAE
Related: Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors
