Dual reports released this week shed light on the KingsPawn iOS malware developed and sold by known spyware vendor QuaDream. The QuaDream malware has infected at least five unnamed victims between 2019 and 2021, including journalists, political dissidents and a non-government organization worker in North America, Central Asia, Europe and the Middle East.
QuaDream (also called DEV-0196 by Microsoft) is an Israeli spyware vendor that has been operating for several years, goes to great lengths to remain under the radar and has “common roots” with Pegasus spyware maker NSO group and others in the commercial spyware landscape, according to Citizen Lab in a Tuesday report.
Unlike hack-for-hire groups like Void Balaur, which are known to conduct attacks on behalf of organizations or individuals, QuaDream develops and sells products that end users then operate themselves. QuaDream and its suite of exploits have been highlighted by previous reports, including a Reuters investigation last year exposing QuaDream’s flagship exploit toolset and a Meta report in December that described the takedown of 250 accounts associated with the company.
“QuaDream’s obscurity reflects an effort to avoid media scrutiny that was successful, for a time,” said Citizen Lab researchers. “Yet once QuaDream infections become discoverable through technical methods, a predictable cast of victims emerged: civil society and journalists. This pattern is a repetition of the abuses found with more notorious players, like NSO Group’s Pegasus spyware, Cytrox’s Predator spyware, and before them Hacking Team and FinFisher.”
In a separate Tuesday analysis, Microsoft found that the KingsPawn malware is made up of different components, including a monitor agent aimed at hindering detection and a main agent with various spying capabilities. These functionalities include monitoring phone calls and using a device's camera in the background, getting device locations and collecting various device, Wi-Fi and cellular information.
KingsPawn’s main agent uses several techniques to cover its tracks on victims’ devices. In one notable tactic, the malware infected some of the target devices through what Citizen Lab researchers believe to be an iOS 14 zero-click exploit. Researchers said the exploit (observed targeting devices running on iOS 14 through iOS 14.4.2) appeared to leverage malicious, invisible iCloud calendar invitations sent from spyware operators to victims. Because the iCloud calendar invitations had backdated timestamps, they were automatically processed by the phone and added to the calendar sans user notification. Upon closer inspection of devices that had been infected by QuaDream’s malware, researchers also found that a suspicious event added to a victim’s calendar contained CDATA opening and closing tags embedded in keys in an .ics file.
“Ultimately, this report is a reminder that the industry for mercenary spyware is larger than any one company, and that continued vigilance is required by researchers and potential targets alike."
“We suspect that the attacker’s use of closing and opening CDATA tags in the .ics could potentially facilitate the inclusion of additional XML data that would be processed by the user’s phone, in order to trigger some behaviour desired by the attacker,” according to Citizen Lab researchers.
In another technique aimed at sidestepping detection, the main agent has injected itself into key binaries like the Transparency, Consent and Control daemon (tccd), which controls access permissions for components like the microphone and camera.
“Normally, users are met with a pop-up prompt from the tccd process, alerting them that something has requested access to the camera, microphone, or other peripheral, and the user is required to either allow or deny it,” said Microsoft researchers. “In this compromise scenario, the agent injects itself into the tccd binary, which allows the agent to spawn both new processes and threads as part of the exploitation process, and also allows it to bypass any tccd prompts on the device meaning the user would be unaware of camera compromise.”
Microsoft researchers said that the observed malware sample targets iOS 14, so some of these techniques may no longer be functional on newer operating system versions - however, they said it is highly likely that QuaDream will have updated their malware to account for newer versions.
Spyware and cyber mercenary commercial firms like QuaDream are increasingly selling their tools to authoritarian governments in order to target human rights activists, journalists, dissidents and others. Similar to Microsoft’s Tuesday report, which shared host and network IoCs in an effort to help detection, over the past year companies across the tech industry have offered up further information about cyber mercenary groups and cracked down on domains linked to related operations. In March, the Biden administration put pressure on spyware vendors by signing an executive order prohibiting U.S. government use of commercial spyware.
“Ultimately, this report is a reminder that the industry for mercenary spyware is larger than any one company, and that continued vigilance is required by researchers and potential targets alike,” said Citizen Lab researchers. “Until the out-of-control proliferation of commercial spyware is successfully curtailed through systemic government regulations, the number of abuse cases is likely to continue to grow, fueled both by companies with recognizable names, as well as others still operating in the shadows."