Pegasus-like spyware Reign was used in targeted iPhone attacks
Security experts at the University of Toronto's Citizen Lab have spilled the beans on a Pegasus-like spyware called Reign. A report published by the researchers reveals that the exploit was used in targeted iPhone attacks.
The Pegasus spyware made by the NSO Group is probably the most infamous one of the lot. The mercenary malware was sold to various Governments around the World, and was used to spy on high profile targets, using a zero-day exploit that was termed as ForcedEntry.
Citizen Lab is often credited for finding and reporting bugs in iOS and macOS to Apple. Microsoft Threat Intelligence obtained some samples of the Reign spyware, which they called KingsPawn. You can read their analysis of the spyware here. Microsoft Threat Intelligence shared 2 samples of the Reign spyware with the security researches at Citizen Lab, who dissected them to analyze the malware's code. They have published their findings in a blog article on their website.
What is the Reign spyware?
Reign was created by QuaDream, an Israeli company that was founded by a former military official, and allegedly has ties with intelligence agencies. This isn't the first time we are hearing about it, the spyware came to light in February 2022.
Meta released a Threat Report in December 2022, which mentioned that it detected some suspicious activity on about 250 accounts on its platforms, that were attributed to QuaDream. It was believed that the accounts were being used to test the spyware's capabilities on iOS and Android operating systems.
The Reign spyware seems to have been used in North America, Central Asia, Southeast Asia, Europe, and the Middle East. The report mentions that it was sold to government clients in Singapore, Saudi Arabia, Mexico, and Ghana. QuaDream had also offered its services to Indonesia and Morocco. Victims of the attack include journalists, political opposition figures, and an NGO worker. Further investigations revealed that QuaDream has servers operating from Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates (UAE), and Uzbekistan.
Interestingly, QuaDream is involved in a legal feud with InReach, a Cyprus based firm, which was set up in 2017, for promoting the former's products outside its home Country. InReach however failed to transfer the revenues from sales of QuaDream's products per an agreement, which resulted in the latter freezing InReach's assets. QuaDream accused that InReach was funneling payments from customers to a secret bank account in Switzerland. The feud had a ripple effect in that it revealed several individuals from both companies had prior connections with a 3rd surveillance company called Verint, and other Israeli intelligence agencies.
How the Reign spyware was used for targeted iPhone attacks
Citizen Lab says that the 1st sample of Reign acted as a downloader that was used to extract information about the victim's device such as the iOS version, battery status, Wi-Fi SSID, Cellular carrier, phone number, SIM card data, etc. It could also download and execute a secondary payload. The 2nd sample was the actual mercenary spyware payload.
The researchers discovered that threat attackers used a zero-click exploit in iOS 14, specifically iOS 14.4 and 14.4.2, to deploy Reign. The exploit, which has been termed as ENDOFDAYS, uses invisible iCloud calendar invitations sent from the attacker to a victim. The .ICS file had invitations to 2 overlapping events that were backdated. iOS 14 processed backdated calendar invitations automatically without notifying the user, i.e. no interaction was required. This method was exploited by the ENDOFDAYS attack as a zero-click exploit to deploy the spyware stealthily on the victim's device.
Among other things, the spyware was capable of tracking the device's location, record audio from the microphone, record audio from calls, take pictures through the front or rear camera, extract Keychain data, generate iCloud 2FA passwords, search the files on the phone, etc. It could even clean its traces, leaving behind no remnants.
Image courtesy: Citizen Lab
A reminder about Lockdown Mode in iOS and macOS
State-sponsored attacks usually target people such as journalists, activists, or other important civilians, whom a Government might view as a threat. In case you aren't aware, last year, Apple introduced a feature called Lockdown Mode in iOS 16, iPadOS 16 and macOS Ventura 13. The option, when enabled, shuts off various attack vectors that are usually exploited by hackers. Lockdown mode was specifically designed to protect users against targeted attacks, so it could be useful for people who may be vulnerable to such threats.
What’s with Israel being so often at the vangard of surveillance and repression tools ? (and no, this is not meant as a compliment)
“Take pictures using front & back cameras”
Don’t forget to put opaque tape on those when not in use, by the way.
“State-sponsored attacks usually target people such as journalists, activists, or other important civilians, whom a Government might view as a threat.”
That’s not true. Targets of such surveillance are often ordinary people too.