Microsoft and Citizen Lab detected the utilization of commercial spyware created by Israel-based company QuaDream. It was targeting high-risk iPhones using a zero-click exploit named “ENDOFDAYS.” Through the exploit, attackers targeted a zero-day vulnerability found in iPhones operating on iOS 1.4 up to 14.4.2. The campaign ran from January 2021 to November 2021. It targeted at least five civil society victims in the Middle East, Europe, North America, Central Asia, and Southeast Asia. The spyware enabled spying on journalists, political opposition figures, and NGO workers using an invisible iCloud calendar invitation. This invitation was auto-installed onto users’ calendars without notification.
The Exploits Used to Deploy Commercial Spyware
Citizen Lab discovered an invisible iCloud calendar invitation. It was containing timestamps with backdated events that, on reaching the target’s iPhone, automatically. It also added themselves to the user’s calendar without notification. At that point, the QuaDream EXPLOFDAYS vulnerability exploited the devices without any user interaction. The vulnerability enabled the spyware to move undetected through the victims’ devices, recording audio from phone calls, taking pictures, tracking their location, and performing various file system operations to compromise their data.
Malware Self-Destruction and Clean-Up
QuaDream’s spyware self-deletes and cleans up any traces from the victims’ phones, enabling evading of detection by those being targeted. “The self-destruct feature cleans up various traces left behind by the spyware itself,” stated Citizen Lab. They also discovered a process name used by the spyware, which was present on the victim devices.
Capabilities of the QuaDream Commercial Spyware
According to Citizen Lab’s analysis, the QuaDream spyware had an array of “features,” which allowed threat actors to take over victims’ phones. The list of capabilities discovered includes:
- Recording environmental audio and calls
- Taking pictures using the front or back camera
- Exfiltrating and removing items from the device’s keychain
- Running queries on SQL databases present on the phone
QuaDream’s malware deployed several sophisticated capabilities, including hijacking the Anisette Framework, hooking the gettimeofday syscall to create one-time password (TOTP) login codes, and generating future dates to facilitate persistence exfiltration from iCloud. The spyware could perform different file system operations, searching for specific files using specified behaviors as well as cleaning up any remnants of other zero-click exploits.
QuaDream Spyware and Servers
Citizen Lab also discovered QuaDream servers in several countries, including the United Arab Emirates, Singapore, Bulgaria, Ghana, Czech Republic, Romania, Hungary, Uzbekistan, Israel, and Mexico. This revelation signifies that entities, such as governments and other malicious actors, could have had access to the QuaDream spyware, exposing risk to targeted individuals in those regions.
Microsoft, Citizen Lab, and government agencies will continue to work towards the discovery of spyware that could expose people to risk. Microsoft has been using Defender for Endpoint to detect the malware, while Citizen Lab is also urging iPhone users to update their software regularly to protect themselves from similar malware. Additionally, entities using iPhones should be cautious about accepting calendar invites from unknown sources.
The QuaDream spyware discovered by Microsoft and Citizen Lab, deployed using a zero-click exploit, showed how attackers continue to refine and develop spyware that exploits system vulnerabilities to gain access to targets. The widespread presence of QuaDream servers also highlighted the need for governments and malicious actors to work towards curtailing the creation and distribution of such spyware.