Analysis of the KingsPawn malware / ENDOFDAYS exploit used against iOS 14
The Citizen Lab - Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers
https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/
“We also identify traces of a suspected iOS 14 zero-click exploit used to deploy QuaDream’s spyware. The exploit was deployed as a zero-day against iOS versions 14.4 and 14.4.2, and possibly other versions. The suspected exploit, which we call ENDOFDAYS, appears to make use of invisible iCloud calendar invitations sent from the spyware’s operator to victims.”
functionality
“Recording audio from phone calls
Recording audio from the microphone
Taking pictures through the device’s front or back camera
Exfiltrating and removing items from the device’s keychain
Hijacking the phone’s Anisette framework and hooking the gettimeofday syscall to generate iCloud time-based one-time password (TOTP) login codes for arbitrary dates. We suspect that this is used to generate two-factor authentication codes valid for future dates, in order to facilitate persistent exfiltration of the user’s data directly from iCloud”
Microsoft Security Blog - DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia
https://www.microsoft.com/en-us/sec...h-america-the-middle-east-and-southeast-asia/
"This agent includes capabilities to:
Get device information (such as iOS version and battery status)
Wi-Fi information (such as SSID and airplane mode status)
Cellular information (such as carrier, SIM card data, and phone number)
Search for and retrieve files
Use the device camera in the background
Get device location
Monitor phone calls
Access the iOS keychain
Generate an iCloud time-based one-time password (TOTP)"
The Citizen Lab - Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers
https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/
“We also identify traces of a suspected iOS 14 zero-click exploit used to deploy QuaDream’s spyware. The exploit was deployed as a zero-day against iOS versions 14.4 and 14.4.2, and possibly other versions. The suspected exploit, which we call ENDOFDAYS, appears to make use of invisible iCloud calendar invitations sent from the spyware’s operator to victims.”
functionality
“Recording audio from phone calls
Recording audio from the microphone
Taking pictures through the device’s front or back camera
Exfiltrating and removing items from the device’s keychain
Hijacking the phone’s Anisette framework and hooking the gettimeofday syscall to generate iCloud time-based one-time password (TOTP) login codes for arbitrary dates. We suspect that this is used to generate two-factor authentication codes valid for future dates, in order to facilitate persistent exfiltration of the user’s data directly from iCloud”
Microsoft Security Blog - DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia
https://www.microsoft.com/en-us/sec...h-america-the-middle-east-and-southeast-asia/
"This agent includes capabilities to:
Get device information (such as iOS version and battery status)
Wi-Fi information (such as SSID and airplane mode status)
Cellular information (such as carrier, SIM card data, and phone number)
Search for and retrieve files
Use the device camera in the background
Get device location
Monitor phone calls
Access the iOS keychain
Generate an iCloud time-based one-time password (TOTP)"