In collaboration with Citizen Lab, Microsoft recently uncovered an alarming discovery about QuaDream, an Israel-based firm.
The company was found to be behind the development of commercial spyware dubbed “KingsPawn” that uses a zero-click exploit called “ENDOFDAYS” to compromise high-risk individuals’ iPhones.
Threat actors exploited a zero-day vulnerability that affected the iPhones running iOS 14 or later versions up to 14.4.2.
Between January 2021 and November 2021, the attack employed a sophisticated backdated technique involving “invisible iCloud calendar invitations,” making them nearly impossible to detect.
Zero-click Exploit to Drop Spyware
One way the ENDOFDAYS exploit could remain undetected by targets was by using backdated timestamps on iCloud calendar invitations.
When all these backdated invitations were sent to iOS users, they were automatically added to their calendars without the user having to do anything, reads Microsoft report.
This automatic addition provided a stealthy means for the exploit to run without the user’s knowledge.
QuaDream’s spyware has compromised a total of five civil society organizations in the following regions:-
- North America
- Central Asia
- Southeast Asia
- Europe
- The Middle East
While here below, we have mentioned the victims that are primarily targeted:-
- Journalists
- Political opposition figures
- An NGO worker
The surveillance malware, KingsPawn used was equipped with a stealthy feature, the ability to self-delete and erase all traces of its existence on victims’ iPhones.
This design feature enabled the malware to evade detection, leaving victims unaware that their devices had been compromised. This self-destructing feature was detected on the victims’ devices, revealing a name for the process used by the spyware.
Capabilities of KingsPawn
Based on Citizen Lab’s analysis, the spyware discovered in this attack campaign appears highly sophisticated and invasive since it boasts many features.
Here below, we have mentioned the complete list of capabilities that KingsPawn features:-
- Get device information
- Recording audio from phone calls
- Recording audio from the microphone
- Wi-Fi information
- Cellular information
- Search for files
- Retrieve files
- Use the device camera in the background
- Get device location
- Monitor phone calls
- Access the iOS keychain
- Generate an iCloud time-based one-time password (TOTP)
Apart from this, QuaDream servers were discovered across multiple countries, including:-
- Bulgaria
- The Czech Republic
- Hungary
- Ghana
- Israel
- Mexico
- Romania
- Singapore
- United Arab Emirates
- Uzbekistan
This discovery shows that the spyware used to target high-risk individuals is an alarming reminder of the scope and scale of the mercenary spyware industry.
This industry encompasses a vast network of companies, making it challenging to pinpoint any one culprit responsible for such attacks.
The prevalence of commercial spyware provided by surveillance tech providers has raised concerns about the security of vulnerable Android and iOS devices.
The spyware is often deployed on devices susceptible to zero-day flaws, exploiting previously unknown vulnerabilities and granting the attacker broad access to the device’s data and functions.
Why do Organizations need Unified endpoint management –
Download Free E-books & Whitepapers
Related Read: