HQ/EMEAFind out how we can help your business
The notorious malicious threat group from Israel, QuaDream, has been spreading their new malware called KingsPawn spyware against targets. Based on reports, the new spyware resembles the Pegasus threat that infected numerous users last year.
The group allegedly used KingsPawn to compromise the iPhone devices of targeted individuals through a new zero-click exploit dubbed ENDOFDAYS.
The KingsPawn spyware spawns and attacks devices that run on specific Apple devices.
According to investigations, the QuaDream operators deploy the KingsPawn spyware by exploiting a zero-day vulnerability in iPhone devices that operate in iOS version 1[.]4 to 14[.]4[.]2.
Additionally, the attackers executed these attacks between January and November a couple of years ago. These adversaries utilised backdated and invisible iCloud calendar invitations.
The actors disseminated these iCloud calendar invitations that included backdated timestamps to their targeted iOS devices to start their operation. These invites are added to the victims’ calendar by default, meaning the users will not get any prompts or notifications.
Subsequently, the actors could inject XML data into a targeted device by sending a specially crafted invitation. This method will further enable the attackers to execute the ENDOFDAYS exploit without interacting with the victim. The exploit will also hide the campaign from the targeted user.
The confirmed compromised devices appear in Asia, Europe, and North America. In addition, the prioritised victims of this campaign are journalists, political opposition figures, and NGO workers.
Researchers stated that the QuaDream servers host KingsPawn in several countries, including Ghana, Uzbekistan, Israel, Romania, UAE, Mexico, Singapore, Bulgaria, Hungary, and the Czech Republic.
Furthermore, the attack samples indicate that it only attacks iOS devices. Still, researchers claimed that there is an indication that some of the campaign code could apply to Android-based campaigns.
Researchers confirmed that the malware developers included a self-destruct feature on KingsPawn to avoid threat analysis.
This late campaign shows that commercial spyware is growing as new threat actors operate similar campaigns that spy on users. Experts suggest iPhone users enable their Lockdown Mode since it offers enhanced security for iOS-based devices. Finally, iPhone owners should update their devices to the latest software versions to avoid getting infected by these attacks.
