Threat actors using hacking tools from an Israeli surveillanceware vendor named QuaDream targeted at least five members of civil society in North America, Central Asia, Southeast Asia, Europe, and the Middle East in 2021, according to findings from a group of researchers from the Citizen Lab. The spyware campaign was directed against journalists, political opposition figures, and an NGO worker, though the names of the victims were not disclosed. It is suspected that the company abused a zero-click exploit dubbed ENDOFDAYS in iOS 14 to deploy spyware as a zero-day in version 14.4 and 14.4.2, though there is no evidence that the exploit has been used after March 2021. Microsoft Threat Intelligence team is tracking QuaDream as DEV-0196, describing the cyber mercenary company as a private sector offensive actor (PSOA) that sells its “exploitation services and malware” to government customers. The malware, named KingsPawn, contains a monitor agent and the primary malware agent, both of which are Mach-O files written in Objective-C and Go, respectively. The monitor agent is responsible for reducing the forensic footprint of the malware to evade detection, while the main agent comes with capabilities to gather device information, cellular and Wi-Fi data, harvest files, access camera in the background, access location, call logs, and iOS Keychain, and even generate an iCloud time-based one-time password (TOTP). Internet scans carried out by the Citizen Lab reveal that QuaDream’s customers operated 600 servers from several countries around the world between late 2021 and early 2023, including Bulgaria, Czech Republic, Hungary, Romania, Ghana, Israel, Mexico, Singapore, the U.A.E., and Uzbekistan. The Citizen Lab also uncovered unspecified traces of what it calls the “Ectoplasm Factor” that could be used to track QuaDream’s toolset in the future. QuaDream has attracted attention in the past. In February 2022, Reuters reported that the company weaponized the FORCEDENTRY zero-click exploit in iMessage to deploy a spyware solution named REIGN. Then in December 2022, Meta disclosed that it took down a network of 250 fake accounts on Facebook and Instagram controlled by QuaDream to infect Android and iOS devices and exfiltrate personal data. Microsoft believes that combating such offensive actors requires a “collective effort” and a “multistakeholder collaboration” to curb the out-of-control proliferation of commercial spyware.
In conclusion, the malicious activities of QuaDream show the need for systemic government regulations to control the proliferation of commercial spyware and protect human rights and democracy. Microsoft’s multistakeholder collaboration and collective efforts are crucial to combat the proliferation of such cyber mercenary companies and safeguard the security and stability of the online environment.
Key Points:
• Threat actors using hacking tools from an Israeli surveillanceware vendor named QuaDream targeted at least five members of civil society in 2021.
• QuaDream is known to sell its “exploitation services and malware” to government customers.
• The malware, named KingsPawn, contains capabilities to gather device information, cellular and Wi-Fi data, harvest files, access camera in the background, access location, and call logs.
• Internet scans carried out by the Citizen Lab reveal that QuaDream’s customers operated 600 servers from several countries around the world.
• Microsoft believes that combating such offensive actors requires a “collective effort” and a “multistakeholder collaboration” to curb the out-of-control proliferation of commercial spyware.