Malware reportedly developed by a little-known Israeli commercial spyware maker has been found on devices of journalists, politicians, and an NGO worker in multiple countries, say researchers.
Reports from Microsoft and The University of Toronto’s Citizen Lab both conclude that government-serving spyware maker QuaDream used a zero-click exploit targeting Apple devices running iOS 14 to deliver spyware marketed under the name Reign to victims’ phones.
It appears the zero-click exploit involved abusing a shortcoming in iOS’s calendar app that would allow someone to automatically add backdated events to a target’s calendar, by sending them an invite, without the mark realizing.
Citizen Lab believes QuaDream hid some kind of malicious code or data inside iCal files in order to deliver its spyware to target devices: when a specially crafted calendar invite was sent to a victim, it was likely automatically processed by their iOS device, and a payload in that invitation was silently activated. The exact method of infection is not yet fully understood.
Once somehow up and running via this method, the spyware was able to exfiltrate various elements of device, carrier, and network info; search for and retrieve files; use the camera in the background; monitor calls; access the iOS keychain; generate iCloud one-time passwords; and more, said Microsoft.
According to Citizen Lab, QuaDream uses a subsidiary known as InReach to sell Reign to government customers outside of Israel, and has clients including Singapore, Saudi Arabia, Mexico, and Ghana. Suspected command-and-control servers for the company’s malware have been detected in the aforementioned countries as well as Romania, the United Arab Emirates, Israel, Hungary, and other nations.
“QuaDream operates with a minimal public presence, lacking a website, extensive media coverage, or social media presence,” Citizen Lab said in its report. Much of the information it’s been able to extract about the QuaDream come from legal disputes between it and InReach over the latter’s attempt to hide money owed to the Israeli software firm.
If all of this sounds familiar, that’s because QuaDream’s case is startlingly similar to what Israeli spyware maker NSO Group, makers of the Pegasus spyware used by various governments to spy on journalists, opposition politicians and dissidents, has been accused of.
“The firm has common roots with NSO Group, as well as other companies in the Israeli commercial spyware industry, and the Israeli government’s own intelligence agencies,” Citizen Lab said.
Here’s where this yarn gets a bit gnarly.
Reuters reported last year that Pegasus and Reign at one point both abused the same iOS bug to infiltrate devices. Pegasus’s exploit, known as ForcedEntry, involved taking advantage of how iOS processed images so that carefully crafted malicious files could achieve arbitrary code execution once delivered to a victim’s handheld.
QuaDream’s exploit as detailed this week by Microsoft and Citizen Lab – the latter of which dubbed the technique EndOfDays – relies on calendar events. Now it may be that EndOfDays exploited the same flaw as ForcedEntry as part of a multi-step infection process: a calendar invite could cause embedded image data to be processed, which would lead to code execution. It’s not entirely clear from this week’s reports if that’s the case, probably because the researchers involved don’t have access to the full exploit chain of EndOfDays.
That said, Apple in 2021 killed off the vulnerability used by ForcedEntry, which also apparently stopped QuaDream’s spyware from working properly. So it’s possible the 2021 fix stopped EndOfDays dead because EndOfDays and ForcedEntry really were relying on the same flaw. Alternatively, QuaDream had another exploit at the time that was stopped by Apple’s fix, and EndOfDays is a separate exploit. We’ve tried to seek clarification on this point.
Citizen Lab said it identified two cases in 2021 where targets in North America and Central Asia showed evidence of EndOfDays being run on their devices. “At least one target who was notified by Apple tested positive for QuaDream’s spyware and was negative for Pegasus,” Citizen Lab said in its report.
Both Microsoft and Citizen Lab included indicators of compromise in their reports, but Microsoft noted that such zero-click attacks can be difficult to prevent or detect after a device has been compromised. Their reports both detail methods used by the malware to remove traces of its existence, such as removing calendar entries used to launch the attack after infection has occurred.
Microsoft recommended that anyone who believes they may be at risk of being targeted by commercial spyware should enable iOS’s lockdown mode, which Apple launched last year to combat commercial spyware attacks like Pegasus.
Despite the spyware’s attempts to hide itself, Citizen Lab said that it found evidence that the malware did leave some traces behind, which it didn’t cover in its report “as we believe this may be useful for tracking QuaDream’s spyware going forward.”
“Ultimately, this report is a reminder that the industry for mercenary spyware is larger than any one company, and that continued vigilance is required by researchers and potential targets alike,” Citizen Lab concluded. It added that proliferation of commercial spyware is an “out of control” problem unlikely to abate without governments taking action to stop the use of such tools – and all of them, not just the ones that are politically convenient. ®