Recently Discovered ‘Reign’ iPhone Spyware Tool Was Sold to Governments

A new report from Citizen Lab says the group has discovered a Pegasus-like iPhone-targeted spyware tool named “Reign” that has been sold to governments and that can be used to monitor the activities of targeted individuals. The spyware is said to be similar to the NSO Group’s “Pegasus” spyware, which has in the past been used multiple times to spy on journalists, activists, and political opponents.

Citizen Lab says that based on analysis of samples provided to them by Microsoft Threat Intelligence, the Reign spying tool is provided by Israeli company QuaDream and allows governments to spy on targeted opponents.

QuaDream has been around for several years, developing advanced spyware products. The company appears to include among its clients several governments around the world.

The group says it has identified at least five targeted spyware cases in North America, Central Asia, Southeast Asia, Europe, and the Middle East. Victims of the spyware attacks included journalists, political opposition figures, and even an NGO Group worker.

The spyware is deployed on targeted devices through the “Endofdays” iOS 14 zero-click exploit, which uses invisible iCloud calendar invitations sent to victims. Once installed on a device, the spyware allows operators to access multiple iOS and iPhone features, similar to the way NGO Group’s Pegasus did.

Features accessible by Reign include:

• Audio recordings of calls
• iPhone microphone access
• iPhone camera access
• Exfiltration and removal of items from the Keychain
• Generation of iCloud 2FA passwords
• Searching through files on the device
• Tracking the location of the iPhone
• The ability to remove traces of the spyware in an attempt to minimize detection.

While the spyware boasted a self-destruct feature that was able to remove traces of the spyware, the feature actually aided researchers in identifying when a user was attacked with the surveillance tool.

Citizen Lab’s contacts in the threat intelligence community provided a network indicator linked to QuaDream’s spyware. Citizen Lab was able to identify 600+ servers and 200 domain names that appeared to be linked to QuaDream’s spyware from late 2021 to early 2023. That included servers are believed to be used to receive data from the spyware’s victims, as well as servers that are used for the spyware app’s one-click browser exploits.

Citizen Lab believes QuaDream systems are being operated in the following countries:

• Czech Republic
• Hungary
• Ghana
• Bulgaria
• Romania
• Israel
• Mexico
• United Arab Emirates (UAE)
• Uzbekistan
• Singapore

Citizen Lab shared its results with Microsoft Threat Intelligence, and that group performed additional scanning to identify domain names linked to QuaDream. Microsoft Threat Intelligence has published its results in their report.

The QuaDream group is still in operation and is believed to share “common roots” with the NSO Group, according to Citizen Lab. The group is also said to be connected to other Israeli commercial spyware vendors, as well as Israeli government intelligence agencies.

QuaDream was co-founded by a former Israeli military officer and former NSO employees. The group managed to stay out of the spotlight for quite a while.

This information first appeared on Mactrast.com