Government hackers equipped with QuaDream’s exploit used malicious calendar invites with dates in the past to deliver spyware.
A little-known cyber mercenary company, QuaDream, has been identified by researchers at Microsoft and digital rights group Citizen Lab as the creator of malware that was used to hack into the iPhones of journalists, political opposition figures, and an NGO worker.
QuaDream, an Israeli spyware maker, reportedly develops zero-click exploits, which are hacking tools that do not require the target to click on malicious links, for iPhones. The final payload of QuaDream’s malware includes recording phone calls, surreptitiously capturing audio using the phone’s microphone, taking pictures, stealing files, tracking the person’s granular location, and deleting forensic traces of its existence.
Citizen Lab’s report states that its researchers were able to trace QuaDream’s spyware by identifying particular marks left by the malware, which they have referred to as the “Ectoplasm Factor.” However, the researchers have decided not to disclose these marks to ensure their ability to track the malware in the future.
The researchers have identified more than five victims, including an NGO worker, politicians, and journalists, whose iPhones were hacked in Europe, North America, the Middle East, and Southeast Asia. However, the researchers have decided not to disclose the victims’ names, as they do not want to jeopardize their safety.
The fact that the victims are in different countries also makes it harder for them to come forward, according to a senior researcher at Citizen Lab.
Although QuaDream has managed to stay under the radar, Israeli newspaper Haaretz reported in 2021 that it sold its wares to Saudi Arabia. A year later, Reuters reported that QuaDream sold an exploit to hack iPhones, which is comparable to the one provided by NSO Group.
It’s important to note that QuaDream does not run the spyware itself, but rather its government customers operate it, which is a common practice in the surveillance technology sector.
According to internet scans conducted by Citizen Lab, QuaDream’s customers operated servers in several countries worldwide, including the following:
- Israel
- Ghana
- Mexico
- Bulgaria
- Romania
- Hungary
- Singapore
- Uzbekistan
- Czech Republic
- United Arab Emirates (UAE)
In a blog post, Microsoft labelled QuaDream as an Israel-based private sector offensive actor (PSOA) who sells REIGN, a suite of exploits to governments. This suite includes malware and infrastructure developed to exfiltrate data from targeted smartphones.
The exploit utilized by QuaDream was created for iOS 14 and was a zero-day vulnerability, meaning it was not yet fixed or known by Apple at the time. Government hackers equipped with QuaDream’s exploit used malicious calendar invites with dates in the past to deliver the malware, which did not trigger a notification on the phone, making them invisible to the target.
QuaDream uses a Cyprus-based company called InReach to sell its products, according to Citizen Lab researchers, and this has been confirmed by a person who has worked in the spyware industry.
The discovery of QuaDream’s malware highlights once again that the spyware industry is not only made up of NSO Group but there are several other companies, most of which are still flying under the radar.
