Microsoft and Citizen Lab have discovered commercial spyware created by an Israel-based company, QuaDream, used to compromise the iPhones of high-risk individuals using a no-click exploit called ENDOFDAYS.

Attackers targeted a zero-day vulnerability affecting iPhones running iOS 1.4 through 14.4.2 between January 2021 and November 2021, using what Citizen Lab described as “backdated, invisible iCloud calendar prompts.”

The compromised devices belonged to “at least five civil society victims of QuaDream spyware and exploits in North America, Central Asia, Southeast Asia, Europe and the Middle East”, officials said. Citizen Lab researchers. said.

“The victims include journalists, political opposition figures and an NGO employee. We are not naming the victims at this time.”

The surveillance malware deployed in this campaign (dubbed KingsPawn by Microsoft) was also designed to self-delete and clean all tracks from victims’ iPhones to evade detection.

“We found that the spyware also contains a self-destruct feature that cleans up various traces left by the spyware itself,” Citizen Lab said.

“Our analysis of the self-destruct feature revealed a process name used by the spyware, which we discovered on the victim devices.”

The spyware comes with a wide range of “features” based on Citizen Lab’s analysis, ranging from audio recording and environmental calls to the ability for threat actors to search victims’ phones.

The full list of features discovered during the QuaDream spyware scan includes the following:

  • Audio recording of phone calls
  • Microphone audio recording
  • Take photos via the front or back camera of the device
  • Exfiltrate and remove keychain items from the device
  • Hijack the phone’s Anisette framework and hook the gettimeofday system call to generate one-time password (TOTP) iCloud login codes for arbitrary dates. We suspect this is being used to generate valid two-factor authentication codes for future dates, to facilitate persistent exfiltration of user data directly from iCloud.
  • Run queries against SQL databases on the phone
  • Clean up leftovers that might be left behind by no-click exploits
  • Device location tracking
  • Perform various file system operations, including finding files that match specified characteristics

Citizen Lab has found QuaDream servers in several countries, including Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates (UAE), and Uzbekistan.

“Ultimately, this report is a reminder that the mercenary spyware industry is larger than any one company and that continued vigilance is required on the part of researchers and potential targets,” Citizeb Labs said.

“Until the uncontrollable proliferation of commercial spyware is successfully stemmed through systemic government regulations, the number of abuse cases is likely to continue to rise, fueled both by companies with recognizable names, as well as by others still operating in the shadows.”

A year ago, Citizen Lab also revealed details on a clickless iMessage exploit (dubbed HOMAGE) which was used to install spyware from the NSO group on the iPhones of Catalan politicians, journalists and activists.

Commercial spyware provided by surveillance technology vendors such as NSO Group, Cytrox, Hacking teamAnd FinFisher has been repeatedly deployed to Android and iOS devices vulnerable to zero-day vulnerabilities (in most cases via no-click exploits undetectable by targets).



Source link