A video released by Seytonic on Youtube details reports by Microsoft and Citizen Lab about how the iPhones calendar app was used to exploit journalists phones to spy on them by Israeli state sponsored spyware agency “Quadream”. Quadream is a Israeli surveillance technology company comprised of and founded by former NSO Group employees Guy Geva and Nimrod Reznik. It is owned by a parent company Cyprus. Its customers include the government of Saudi Arabia and it operates in at least 10 countries and continents including North America and Europe.
Quadream developed and released a suite of iPhone hacking tools called “Reign”. That suite included a tool that researchers dubbed “EndOfDays” which happened to be a “zero-click exploit” which means it required no interaction from the victim. Which exploited a vulnerability caused by the calendar automatically accepting and adding past dated calendar invitations. Since the calendar automatically accepted and added invites, it was vulnerable to an XML Escape attack where malicious code was embedded into the .ics files used for the calendar invitations. Once the invite embedded with malicious code was sent, the iPhone would automatically accept the invite, in-turn automatically running the code and activating the spyware. As detailed in the report, this was tool used by multiple governments including Saudi Arabia, to spy on journalists.
Here is a list of countries that researchers fingerprinted REIGN running on servers. (Keep in mind these are only possible customers of Quadream). The fingerprints were found on servers in countries Mexico, Czech Republic, Hungary, Bulgaria, Romania, Uzbekistan, Israel, UAE, Ghana, and Singapore.
Microsoft provided some indicators of compromise as well as did Citizen Lab. Both the Microsoft and Citizen Lab reports are hyperlinked in the very first line with each report being linked at the respective companies name. This article will be updated as more information is discovered.
Indicators of compromise (IOCs)
Host-based indicators
These host-based indicators are indicative of DEV-0196 activity; however, they shouldn’t be used solely as attribution since other actors may also use the same or similar TTPs.
The file existing, or process activity from, /private/var/db/com.apple.xpc.roleaccountd.staging/subridged
The file existing, or process activity from, com.apple.avcapture
The folder /private/var/db/com.apple.xpc.roleaccountd.staging/PlugIns/fud.appex/ existing, or having activity detected from the folder.
Network indicators
Based on the results of our C2 investigation, Microsoft Threat Intelligence associate the following domains with DEV-0196 activity. The dates the domains were first detected as likely in use is given, along with the last seen active date.
Domain | First active | Last active |
fosterunch[.]com | 2022-05-30 | CURRENT |
womnbling[.]com | 2022-05-30 | CURRENT |
zebra-arts[.]com | 2022-05-31 | CURRENT |
pennywines[.]com | 2022-08-19 | CURRENT |
choccoline[.]com | 2022-08-19 | CURRENT |
lateparties[.]com | 2022-09-15 | CURRENT |
foundurycolletive[.]com | 2022-11-07 | CURRENT |
jungelfruitime[.]com | 2022-11-09 | CURRENT |
gameboysess[.]com | 2022-11-09 | CURRENT |
healthcovid19[.]com | 2022-11-10 | CURRENT |
codingstudies[.]com | 2022-11-16 | CURRENT |
hoteluxurysm[.]com | 2022-11-18 | CURRENT |
newz-globe[.]com | 2022-11-23 | CURRENT |
hotalsextra[.]com | 2022-11-23 | CURRENT |
nordmanetime[.]com | 2022-11-23 | CURRENT |
fullaniimal[.]com | 2022-11-23 | CURRENT |
wikipedoptions[.]com | 2022-11-23 | CURRENT |
redanddred[.]com | 2022-11-23 | CURRENT |
whiteandpiink[.]com | 2022-12-02 | CURRENT |
agronomsdoc[.]com | 2022-12-02 | CURRENT |
nutureheus[.]com | 2022-12-02 | CURRENT |
timeeforsports[.]com | 2022-12-15 | CURRENT |
treerroots[.]com | 2022-12-15 | CURRENT |
unitedyears[.]com | 2022-12-15 | CURRENT |
eccocredit[.]com | 2022-12-16 | CURRENT |
ecologitics[.]com | 2022-12-19 | CURRENT |
climatestews[.]com | 2022-12-19 | CURRENT |
aqualizas[.]com | 2022-12-19 | CURRENT |
bgnews-bg[.]com | 2022-12-20 | CURRENT |
mikontravels[.]com | 2022-12-23 | CURRENT |
e-gaming[.]online | 2022-12-23 | CURRENT |
transformaition[.]com | 2022-12-23 | CURRENT |
betterstime[.]com | 2022-12-23 | CURRENT |
goshopeerz[.]com | 2022-12-23 | CURRENT |
countshops[.]com | 2022-12-23 | CURRENT |
inneture[.]com | 2022-12-23 | CURRENT |
shoppingeos[.]com | 2022-12-23 | CURRENT |
mwww[.]ro | 2023-01-05 | CURRENT |
rentalproct[.]com | 2023-01-05 | CURRENT |
bcarental[.]com | 2023-01-05 | CURRENT |
kikocruize[.]com | 2023-01-05 | CURRENT |
elvacream[.]com | 2023-01-10 | CURRENT |
pachadesert[.]com | 2023-01-12 | CURRENT |
razzodev[.]com | 2023-02-06 | CURRENT |
wombatcash[.]com | 2023-02-06 | CURRENT |
globepayinfo[.]com | 2023-02-06 | CURRENT |
job4uhunt[.]com | 2023-02-08 | CURRENT |
ctbgameson[.]com | 2023-02-08 | CURRENT |
adeptary[.]com | 2023-02-08 | CURRENT |
hinterfy[.]com | 2023-02-08 | CURRENT |
biznomex[.]com | 2023-02-08 | CURRENT |
careerhub4u[.]com | 2023-02-08 | CURRENT |
furiamoc[.]com | 2023-02-08 | CURRENT |
motorgamings[.]com | 2023-02-08 | CURRENT |
aniarchit[.]com | 2023-02-08 | CURRENT |
skyphotogreen[.]com | 2023-02-26 | CURRENT |
datacentertime[.]com | 2023-02-26 | CURRENT |
stylelifees[.]com | 2023-02-26 | CURRENT |
kidzlande[.]com | 2023-03-01 | CURRENT |
homelosite[.]com | 2023-03-01 | CURRENT |
zooloow[.]com | 2023-03-01 | CURRENT |
studiesutshifts[.]com | 2023-03-01 | CURRENT |
codingstudies[.]com | 2023-03-08 | CURRENT |
londonistory[.]com | 2023-03-16 | CURRENT |
bestteamlife[.]com | 2023-03-16 | CURRENT |
newsandlocalupdates[.]com | 2023-03-16 | CURRENT |
youristores[.]com | 2023-03-16 | CURRENT |
zooloow[.]com | 2023-02-26 | 2023-03-04 |
kidzlande[.]com | 2023-02-26 | 2023-03-04 |
homelosite[.]com | 2023-02-26 | 2023-03-04 |
studiesutshifts[.]com | 2023-02-26 | 2023-03-04 |
datacentertime[.]com | 2022-11-07 | 2023-02-25 |
homelosite[.]com | 2022-11-09 | 2023-02-25 |
zooloow[.]com | 2022-11-10 | 2023-02-25 |
kidzlande[.]com | 2022-11-10 | 2023-02-25 |
studiesutshifts[.]com | 2022-11-10 | 2023-02-25 |
stylelifees[.]com | 2022-11-11 | 2023-02-25 |
skyphotogreen[.]com | 2022-11-11 | 2023-02-25 |
gardenearthis[.]com | 2023-01-11 | 2023-02-25 |
fullstorelife[.]com | 2023-01-11 | 2023-02-25 |
incollegely[.]org | 2022-05-24 | 2023-01-20 |
shoplifys[.]com | 2022-05-26 | 2023-01-20 |
thetimespress[.]com | 2022-06-24 | 2023-01-20 |
studyshifts[.]com | 2022-06-24 | 2023-01-20 |
codinerom[.]com | 2022-07-10 | 2023-01-20 |
gamingcolonys[.]com | 2022-07-17 | 2023-01-20 |
kidzalnd[.]org | 2022-07-17 | 2023-01-20 |
wildhour[.]store | 2022-07-26 | 2023-01-20 |
wilddog[.]site | 2022-07-26 | 2023-01-20 |
garilc[.]com | 2022-07-26 | 2023-01-20 |
runningandbeyond[.]org | 2022-08-04 | 2023-01-20 |
fullmoongreyparty[.]org | 2022-08-04 | 2023-01-20 |
greenrunners[.]org | 2022-08-04 | 2023-01-20 |
sunsandlights[.]com | 2022-08-09 | 2023-01-20 |
techpowerlight[.]com | 2022-08-16 | 2023-01-20 |
gamezess[.]com | 2022-08-29 | 2023-01-20 |
planningly[.]org | 2022-08-29 | 2023-01-20 |
luxario[.]org | 2022-09-03 | 2023-01-20 |
vinoneros[.]com | 2022-09-03 | 2023-01-20 |
i-reality[.]online | 2022-09-07 | 2023-01-20 |
styleanature[.]com | 2022-09-07 | 2023-01-20 |
planetosgame[.]com | 2022-12-12 | 2023-01-20 |
kidsfunland[.]org | 2022-07-29 | 2023-01-19 |
fullstorelife[.]com | 2022-11-11 | 2023-01-09 |
localtallk[.]store | 2022-01-26 | 2022-12-20 |
allplaces[.]online | 2022-01-26 | 2022-12-20 |
sunclub[.]site | 2022-01-26 | 2022-12-20 |
thenewsfill[.]com | 2022-05-26 | 2022-12-20 |
wellnessjane[.]org | 2022-05-26 | 2022-12-20 |
meehealth[.]org | 2022-05-27 | 2022-12-20 |
gameizes[.]com | 2022-07-20 | 2022-12-20 |
playozas[.]com | 2022-07-20 | 2022-12-20 |
foodyplates[.]com | 2022-07-20 | 2022-12-20 |
designaroo[.]org | 2022-08-29 | 2022-12-20 |
designspacing[.]org | 2022-08-29 | 2022-12-20 |
stockstiming[.]org | 2022-09-01 | 2022-12-20 |
hoteliqo[.]com | 2022-09-01 | 2022-12-20 |
projectoid[.]org | 2022-09-01 | 2022-12-20 |
study-search[.]com | 2022-09-01 | 2022-12-20 |
tokenberries[.]com | 2022-09-03 | 2022-12-20 |
recovery-plan[.]org | 2022-09-07 | 2022-12-20 |
deliverystorz[.]com | 2022-09-07 | 2022-12-20 |
forestaaa[.]com | 2022-10-04 | 2022-12-20 |
addictmetui[.]com | 2022-10-20 | 2022-12-20 |
earthyouwantiis[.]com | 2022-10-20 | 2022-12-20 |
zedforme[.]com | 2022-10-20 | 2022-12-20 |
forestaaa[.]com | 2022-10-28 | 2022-12-20 |
navadatime[.]com | 2022-11-10 | 2022-12-15 |
careers4ad[.]com | 2022-11-13 | 2022-12-15 |
gardenearthis[.]com | 2022-11-07 | 2022-12-14 |
studyreaserch[.]com | 2022-11-09 | 2022-12-14 |
novinite[.]biz | 2022-08-31 | 2022-12-10 |
agronomsdoc[.]com | 2022-11-16 | 2022-11-28 |
whiteandpiink[.]com | 2022-11-16 | 2022-11-28 |
nutureheus[.]com | 2022-11-18 | 2022-11-28 |
dressuse[.]com | 2022-09-18 | 2022-11-20 |
iwoodstor[.]xyz | 2022-09-18 | 2022-11-20 |
teachlearning[.]org | 2022-09-18 | 2022-11-20 |
subcloud[.]online | 2022-09-21 | 2022-11-20 |
monvesting[.]com | 2022-09-21 | 2022-11-20 |
elektrozi[.]com | 2022-09-21 | 2022-11-20 |
hoteluxurysm[.]com | 2022-11-09 | 2022-11-14 |
hopsite[.]online | 2022-11-13 | 2022-11-14 |
bikersrental[.]com | 2022-05-24 | 2022-11-13 |
takestox[.]com | 2022-05-24 | 2022-11-13 |
sidelot[.]org | 2022-05-24 | 2022-11-13 |
powercodings[.]com | 2022-08-21 | 2022-11-13 |
naturemeter[.]org | 2022-08-21 | 2022-11-13 |
takebreak[.]io | 2022-10-12 | 2022-11-13 |
fullstorelife[.]com | 2022-11-07 | 2022-11-10 |
noraplant[.]com | 2022-11-09 | 2022-11-09 |
forestaaa[.]com | 2022-10-04 | 2022-11-07 |
goodsforuw[.]com | 2022-10-26 | 2022-11-07 |
stayle[.]co | 2022-10-26 | 2022-11-07 |
eedloversra[.]online | 2022-10-28 | 2022-11-07 |
sevensdfe[.]com | 2022-11-03 | 2022-11-07 |
dsudro[.]com | 2022-11-03 | 2022-11-07 |
gameboysess[.]com | 2022-11-07 | 2022-11-07 |
sseamb[.]com | 2022-10-26 | 2022-11-06 |
healthcovid19[.]com | 2022-11-04 | 2022-11-06 |
noraplant[.]com | 2022-11-04 | 2022-11-06 |
fullstorelife[.]com | 2022-11-04 | 2022-11-06 |
datacentertime[.]com | 2022-11-04 | 2022-11-05 |
recover-your-body[.]xyz | 2022-01-06 | 2022-11-02 |
reloadyourbrowser[.]info | 2022-07-05 | 2022-11-02 |
comeandpet[.]me | 2022-07-05 | 2022-11-02 |
brushyourteeth[.]online | 2022-07-05 | 2022-11-02 |
digital-mar[.]com | 2022-08-10 | 2022-11-02 |
retailmark[.]net | 2022-08-16 | 2022-11-02 |
dsudro[.]com | 2022-10-04 | 2022-11-02 |
studysliii[.]com | 2022-10-26 | 2022-11-02 |
homeigardens[.]com | 2022-09-07 | 2022-10-29 |
stayle[.]co | 2022-10-20 | 2022-10-24 |
studysliii[.]com | 2022-10-20 | 2022-10-24 |
goodsforuw[.]com | 2022-10-20 | 2022-10-24 |
dsudro[.]com | 2022-10-20 | 2022-10-24 |
sseamb[.]com | 2022-10-20 | 2022-10-24 |
sevensdfe[.]com | 2022-10-20 | 2022-10-24 |
koraliowe[.]com | 2022-04-05 | 2022-10-13 |
topuprr[.]com | 2022-04-05 | 2022-10-13 |
zeebefg[.]com | 2022-04-05 | 2022-10-12 |
takebreak[.]io | 2022-06-21 | 2022-10-11 |
forestaaa[.]com | 2022-10-03 | 2022-10-03 |
teachlearning[.]org | 2022-09-18 | 2022-09-18 |
newsbuiltin[.]online | 2022-09-15 | 2022-09-17 |
jyfa[.]xyz | 2022-09-15 | 2022-09-17 |
monvesting[.]com | 2022-07-19 | 2022-09-15 |
teachlearning[.]org | 2022-07-19 | 2022-09-15 |
elektrozi[.]com | 2022-07-20 | 2022-09-15 |
thepila[.]com | 2022-09-15 | 2022-09-15 |
thegreenlight[.]xyz | 2022-01-11 | 2022-09-14 |
gosport24[.]com | 2022-01-11 | 2022-09-14 |
classiccolor[.]live | 2022-01-11 | 2022-09-11 |
shoeszise[.]xyz | 2022-02-24 | 2022-09-11 |
cleanitgo[.]info | 2022-02-24 | 2022-09-11 |
setclass[.]live | 2022-02-24 | 2022-09-11 |
white-rhino[.]online | 2022-04-14 | 2022-09-11 |
space-moon[.]com | 2022-04-14 | 2022-09-11 |
enrollering[.]com | 2022-05-24 | 2022-09-11 |
newslocalupdates[.]com | 2022-08-19 | 2022-09-11 |
newsbuiltin[.]online | 2022-09-11 | 2022-09-11 |
beendos[.]com | 2022-04-14 | 2022-09-10 |
linestrip[.]online | 2022-07-01 | 2022-09-07 |
sunnyweek[.]site | 2022-07-01 | 2022-09-07 |