Detected by Citizen Lab and Microsoft, Israeli Spyware Developer QuaDream Will Stop Working

The Israeli spyware provider QuaDream is reported to be ceasing software development and operations in the coming days.

The fact is that a week ago, Citizen Lab and Microsoft experts released a report in which they shed light on the activities of QuaDream (DEV-0196 in the Microsoft classification), talking about the company’s malware and its victims.

Let me remind you that we also wrote that the creation of the Chinese Comac C919 aircraft was accompanied by hacker attacks and cyber espionage, and also that Huawei success in 5G may be due to cyber espionage.

And also the media wrote that Cyber-Espionage Group Worok Attacks Asian Governments and Companies.

It all started with the fact that last week security experts reported the discovery (article from Citizen Lab, article from Microsoft) of a new commercial spyware manufacturer, QuaDream, whose tools were used against at least five representatives of NGOs in North America, Central Asia, South -East Asia, Europe and the Middle East.

For example, according to the findings of Citizen Lab, the spy campaign in 2021 targeted journalists, the political opposition and NGO workers, whose names were not released.

The researchers believe that QuaDream used a zero-click exploit called ENDOFDAYS to compromise devices based on iOS 14 (versions 14.4 and 14.4.2). It used “invisible iCloud calendar invitations sent by the spyware operator to victims.” To keep the user from noticing, .ics files were used, containing invitations to two backdated overlapping events.

Microsoft Threat Intelligence experts noted that although QuaDream cyber mercenaries are not involved in the attacks themselves, they sell “operational services and malware” to government clients around the world.

In particular, Microsoft described the KingsPawn malware, which contains a monitoring agent and a main malware agent (both are Mach-O files written in Objective-C and Go). While the monitoring agent is responsible for reducing malware footprints to avoid detection, the main agent can collect device information, cellular and Wi-Fi data, specific files, access the camera in the background, record phone calls and ambient sounds. from the device’s microphone, access location data, call logs, iOS Keychain, and iCloud TOTP passwords.

According to experts, from the end of 2021 to the beginning of 2023, QuaDream customers used about 600 servers in a number of countries, including Bulgaria, the Czech Republic, Hungary, Romania, Ghana, Israel, Mexico, Singapore, the United Arab Emirates and Uzbekistan.

At the same time, Apple assured that there are no signs that the ENDOFDAYS exploit was used after the release of iOS 14.4.2 in March 2021.

As the Israeli newspaper Calcalist has now reported, citing its own sources, QuaDream intends to stop working in the coming days. According to journalists, the company has been “not active for some time” and has been “in a difficult situation” for several months. The report emphasizes that the board of directors of the company intends to sell intellectual property.