QuaDream, an Israeli surveillance firm known for its spyware called “Reign,” has been identified by Citizen Lab as targeting at least five members of civil society globally. The victims include journalists, political opposition figures, and an NGO worker located in North America, Central Asia, Southeast Asia, Europe, and the Middle East. The researchers suspect that the zero-day exploit dubbed ENDOFDAYS was used to deploy QuaDream’s spyware.
The exploit appears to work against iOS versions 14.4 and 14.4.2, and possibly other versions, and relies on invisible iCloud calendar invitations sent from the spyware’s operator to victims. CitizenLab identified QuaDream servers in multiple countries, including Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, UAE, and Uzbekistan.
The Israeli firm has a partnership with a Cypriot firm called InReach, with whom it is currently embroiled in a legal dispute. Multiple key figures of both companies have prior connections with the surveillance vendor Verint, as well as Israeli intelligence agencies.
In February 2022, Reuters first reported QuaDream’s capabilities after one of the vulnerabilities in Apple iOS (FORCEDENTRY zero-click exploit) previously exploited by the spyware developed by the Israeli company NSO Group was also separately used by the surveillance firm.
Microsoft Threat Intelligence analysts assess with high confidence that a threat group tracked by Microsoft as DEV-0196 is linked to an Israel-based private sector offensive actor (PSOA) known as QuaDream. QuaDream reportedly sells a platform called REIGN to governments for law enforcement purposes.
The researchers noted that one of the samples they analyzed was using a functionality that in some cases leaves traces behind on infected devices after the spyware is removed. Microsoft provided technical details of QuaDream iOS malware, it tracked as KingsPawn, including indicators of compromise.
The malware is composed of a monitor agent, which is a native Mach-O file written in Objective-C, and the main agent that is also a native Mach-O file and is written in Go language. The monitor agent is designed to reduce the forensic footprint of the malicious code to avoid detection, while the main agent supports sophisticated spying capabilities.
Citizen Lab warned that until the out-of-control proliferation of commercial spyware is successfully curtailed through systemic government regulations, the number of abuse cases is likely to continue to grow, fueled both by companies with recognizable names and others still operating in the shadows.
