{"id":22516,"date":"2024-03-21T15:43:39","date_gmt":"2024-03-21T19:43:39","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/commercial-spyware\/22516\/"},"modified":"2024-03-22T13:53:02","modified_gmt":"2024-03-22T09:53:02","slug":"commercial-spyware","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/commercial-spyware\/22516\/","title":{"rendered":"The most notorious instances of commercial spyware"},"content":{"rendered":"

Commercial spyware has of late been making the headlines with increasing frequency. And we\u2019re not just talking about media channels dedicated to IT or cybersecurity; reports on commercial spyware have been appearing regularly in mainstream media for some time now.<\/p>\n

In this post, we discuss the existing commercial spyware packages, how they operate, what they\u2019re capable of, and why they\u2019re dangerous. And as always, we finish with advice on how to defend against them.<\/p>\n

What is commercial spyware?<\/h2>\n

\nLet\u2019s start with a definition. Commercial spyware is legal malware created by private companies and designed to conduct targeted surveillance and collect sensitive data from users\u2019 devices. The standard tasks of commercial spyware include stealing messages, eavesdropping on calls, and tracking location.<\/p>\n

To install commercial spyware on a victim\u2019s device, attackers often use zero-day vulnerabilities, and in many cases \u2014 zero-click exploits, which make infection possible without requiring any action on the part of the victim.<\/p>\n

Spyware always tries to be as inconspicuous as possible, for the longer the victim remains unaware of the infection, the more information attackers can gather. Moreover, commercial spyware often includes tools for removing traces of infection, so victims may not even suspect afterward that someone was monitoring them.<\/p>\n

Although commercial spyware is developed by private companies, they typically sell it to various government organizations \u2014 primarily law enforcement and other security agencies.<\/p>\n

As a result, commercial spyware is used, among other things, to monitor civilian activists, journalists, and other non-criminal individuals. In fact, that\u2019s exactly why spyware programs regularly make the headlines.<\/p>\n

1. Pegasus \u2014 NSO Group<\/h2>\n

Targeted OS:<\/strong><\/p>\n

iOS, Android<\/p>\n

Zero-day vulnerability exploitation:<\/strong> Apple iOS, Apple Safari, WhatsApp, Apple iMessage<\/p>\n

Zero-click exploit use:<\/strong> yes<\/p>\n

Country of origin:<\/strong> Israel<\/p>\n

Alternative names:<\/strong> Chrysaor, DEV-0336, Night Tsunami<\/p>\n

Now let\u2019s talk about specific companies, starting with the most prominent player in the commercial spyware market \u2014 the notorious Israeli NSO Group, developer of the iOS spyware Pegasus, and its Android version<\/a> Chrysaor. The early version of Pegasus, discovered<\/a> in 2016, required the victim to click on a sent link, which opened a malicious page in a browser, which in turn triggered an automatic infection mechanism using the Trident exploit.<\/p>\n

\"How<\/a>

How Pegasus attacks were conducted in 2016. Source<\/a><\/p><\/div>\n

The ability to infect iPhones using zero-click exploits quickly became a hallmark of Pegasus. For example, a few years ago, an attack on Apple smartphones exploited a vulnerability in WhatsApp voice calls<\/a> activated with a series of malicious packets. The vulnerability, in turn, enabled remote code execution on the targeted device.<\/p>\n

The FORCEDENTRY exploit, discovered<\/a> by Citizen Lab in 2021 and thoroughly researched<\/a> by the Google Project Zero team, is the most notorious. It was designed to attack the Apple iMessage system, enabling spyware to be launched on the victim\u2019s iPhone after sending them a message containing a GIF file.<\/p>\n

However, this file wasn\u2019t an animated image at all but rather an infected PDF document in which a compression algorithm was used. When the victim\u2019s smartphone attempted to preview the document, a vulnerability in the program responsible for handling this compression algorithm was triggered, leading to execution of a chain of exploits and, ultimately, infection of the device.<\/p>\n

After this exploit was discovered, Apple patched the vulnerabilities. However, as it later turned out, NSO Group simply moved on to exploit vulnerabilities in other applications as if nothing had happened. In April 2023, the same Citizen Lab published research on the FINDMYPWN and PWNYOURHOME exploits<\/a>. The former was linked to a vulnerability in Apple\u2019s Find My app, while the latter targeted its HomeKit. However, the ultimate target for both of these exploits was the same: the iMessage messaging system.<\/p>\n

\"Lockdown<\/a>

Lockdown Mode messages about blocking PWNYOURHOME exploit attacks. Source<\/a><\/p><\/div>\n

Finally, in September 2023, Citizen Lab released information about another exploit used by NSO Group: BLASTPASS<\/a>. This exploit works similarly \u2014 also activating a vulnerability in iMessage \u2014 but this time related to the mechanism for sending Apple Wallet objects, such as event tickets, in messages.<\/p>\n

Regardless of the specific attack vector, infection results in attackers gaining access to the victim\u2019s messages, intercepting calls, stealing passwords, and tracking location. The geographical reach of this spyware is massive \u2014 and the corresponding section of the Pegasus Wikipedia entry<\/a> occupies an impressive amount of space.<\/p>\n

2. DevilsTongue, Sherlock \u2014 Candiru<\/h2>\n

Targeted OS:<\/strong><\/p>\n

Windows, macOS, iOS, Android<\/p>\n

Zero-day vulnerability exploitation:<\/strong> Microsoft Windows, Google Chrome<\/p>\n

Zero-click exploit use:<\/strong> likely<\/p>\n

Country of origin:<\/strong> Israel<\/p>\n

Alternative names:<\/strong> SOURGUM, Caramel Tsunami, Saito Tech Ltd.<\/p>\n

Another Israeli company that develops commercial spyware is Candiru, founded in 2014. In fact, this is only the first of the various names this cyber-espionage organization have used. Since they constantly change their moniker, it\u2019s likely they\u2019re working under a different one now. It\u2019s known that Candiru is backed by several investors associated with NSO Group<\/a>. However, unlike NSO Group, Candiru is much more secretive<\/a>: the company has no website, its employees are forbidden to mention their employer on LinkedIn, and in the building where Candiru has its office, you won\u2019t find any mention of it.<\/p>\n

\"Candiru<\/a>

Official names changed by Candiru from 2014 to 2022. Source<\/a><\/p><\/div>\n

Candiru\u2019s activities have not been thoroughly studied yet \u2014 all the information we have is limited to leaked documents and a couple of incident investigations involving spyware developed by this company. For example, Microsoft\u2019s investigation uncovered<\/a> several zero-day vulnerabilities in the Windows operating system that Candiru exploited. There were also several zero-days in the Google Chrome browser<\/a>, which Candiru probably exploited as well.<\/p>\n

The company\u2019s spyware is called DevilsTongue, and has multiple attack vectors \u2014 from hacking devices with physical access and using the man-in-the-middle method, to spreading malicious links and infected MS Office documents.<\/p>\n

\"Description<\/a>

Capabilities of the DevilsTongue spyware developed by Candiru. Source<\/a><\/p><\/div>\n

Candiru also offers a spy tool called Sherlock, which the researchers at Citizen Lab say could be a platform for zero-click attacks on various operating systems \u2014 Windows, iOS, and Android. Furthermore, there are reports that Candiru was developing spyware for attacks on macOS<\/a>.<\/p>\n

3. Alien, Predator \u2014 Cytrox \/ Intellexa<\/h2>\n

Targeted OS:<\/strong><\/p>\n

Android, iOS<\/p>\n

Zero-day vulnerability exploitation:<\/strong> Google Chrome, Google Android, Apple iOS<\/p>\n

Zero-click exploit use:<\/strong> no (but something similar where the Mars complex is used)<\/p>\n

Country of origin:<\/strong> North Macedonia \/ Cyprus<\/p>\n

Alternative names:<\/strong> Helios, Balinese Ltd., Peterbald Ltd.<\/p>\n

Alien is one of the two components of this spyware. It\u2019s responsible for hacking the targeted device and installing the second part \u2014 necessary for setting up surveillance. This second part is called Predator \u2014 in homage to the movie<\/a>.<\/p>\n

The spyware was initially developed by Cytrox, founded in 2017. Its roots are in North Macedonia, with related subsidiary companies registered in both Israel and Hungary. Cytrox was later acquired<\/a> by Cyprus-registered Intellexa, a company owned by Tal Dilian, who served<\/a> 24 years in high-ranking positions in Israeli military intelligence.<\/p>\n

The Alien\/Predator spyware focuses on attacks on both the Android and iOS operating systems. According to last year\u2019s Google Threat Analysis Group study<\/a>, the developers of the Android version of Alien utilized several exploit chains \u2014 including four zero-day vulnerabilities in Google Chrome and one in Android.<\/p>\n

Alien\/Predator attacks started with messages to victims containing malicious links. Once clicked, these links directed victims to the attackers\u2019 website, which exploited the vulnerabilities in the browser (Chrome) and OS (Android) to infect the device. It then immediately redirected the victim to a legitimate page to avoid suspicion.<\/p>\n

Intellexa also offers the Mars spyware suite<\/a> \u2014 part of which is installed on the victim\u2019s mobile-operator\u2019s side. Once installed, Mars waits for the targeted individual to visit an HTTP page, and when they do they use the man-in-the-middle method to redirect the victim to the infected site \u2014 at which point the process described in the previous paragraph triggers.<\/p>\n

Infection by the Predator spyware using Mars occurs without any action on the part of the victim. This resembles a zero-click attack; however, in this case, additional equipment is used instead of vulnerabilities.<\/p>\n

4. Subzero \u2014 DSIRF<\/h2>\n

Targeted OS:<\/strong><\/p>\n

Windows<\/p>\n

Zero-day vulnerability exploitation:<\/strong> Microsoft Windows, Adobe Reader<\/p>\n

Zero-click exploit use:<\/strong> no<\/p>\n

Country of origin:<\/strong> Austria<\/p>\n

Alternative names:<\/strong> KNOTWEED, Denim Tsunami, MLS Machine Learning Solutions GmbH<\/p>\n

The spyware Subzero, developed by the lengthily-named Austrian company DSR Decision Supporting Information Research Forensic GmbH (DSIRF), was first picked up by the German-speaking press back in 2021<\/a>. However, it wasn\u2019t until a year later that this spyware truly gained notoriety. In July 2022, the Microsoft Threat Intelligence team released a detailed study of spyware<\/a> used by a group codenamed KNOTWEED (Denim Tsunami), which the researchers identified as DSIRF Subzero.<\/p>\n

\"DSIRF<\/a>

Slides from a DSIRF presentation detailing the capabilities of the spyware Subzero. Source<\/a><\/p><\/div>\n

To compromise targeted systems, the Subzero malware exploited several zero-day vulnerabilities in both Windows and Adobe Reader. The attack vector typically involved sending the victim an email containing a malicious PDF file, which triggered a chain of exploits upon opening. As a result, bodiless<\/a> spyware was launched on the victim\u2019s device.<\/p>\n

In the next stage, the spyware collected any passwords and other authentication credentials it could find in the infected system \u2014 from browsers, email clients, the Local Security Authority Subsystem Service (LSASS), and the Windows password manager. Presumably, these credentials were later used to gather information about the victim and set up further surveillance.<\/p>\n

According to the researchers, the Subzero malware has been used to attack organizations in Europe and Central America since at least 2020. The researchers also noted that DSIRF not only sold spyware but also arranged for its employees to participate in the attacks.<\/p>\n

In August 2023, it was announced that DSIRF would be shutting down<\/a>. But it\u2019s too early to rejoice just yet: it\u2019s possible that cyber-espionage activities will be continued<\/a> by DSIRF\u2019s subsidiary \u2014 MLS, Machine Learning Solutions \u2014 which is believed<\/a> to be the current owner of the Subzero spyware. By the way, the MLS website is still fully operational \u2014 unlike the DSIRF page, which was \u201cunder maintenance\u201d at the time of writing.<\/p>\n

5. Heliconia \u2014 Variston IT<\/h2>\n

Targeted OS:<\/strong><\/p>\n

Windows, Linux<\/p>\n

Zero-day vulnerability exploitation:<\/strong> Microsoft Defender, Google Chrome, Mozilla Firefox<\/p>\n

Zero-click exploit use:<\/strong> no<\/p>\n

Country of origin:<\/strong> Spain<\/p>\n

Alternative names:<\/strong> none<\/p>\n

Also in 2022, around the same time Microsoft published details about Subzero\u2019s activities, Google presented its research<\/a> analyzing another type of commercial spyware \u2014 Heliconia. The Google Threat Analysis Group (TAG) report described three components of this malware designed for attacks on computers running Windows or Linux.<\/p>\n

The first part \u2014 called Heliconia Noise \u2014 exploits a vulnerability in the Google Chrome V8 JavaScript engine. Following its exploitation, Chrome\u2019s sandbox is bypassed, and the spyware launches in the targeted system. Additionally, in the code of this part, a fragment was found mentioning Variston as the malware developer. The Google researchers believe it references the Spanish company Variston IT. This company specializes in providing information security services.<\/p>\n

\"Link<\/a>

Researchers discovered a link to a company named Variston in the Heliconica code. Source<\/a><\/p><\/div>\n

The second part of the spyware suite, which the Google researchers dubbed Heliconia Soft, exploits a vulnerability in the JavaScript engine embedded in the Windows antivirus, Microsoft Defender. This works as follows: first, the victim is sent a link to an infected PDF file containing malicious JavaScript code. This code triggers the Microsoft Defender vulnerability when the automatic scan of the downloaded PDF file starts. As a result of exploiting this vulnerability, Heliconia gains OS-level privileges and the ability to install spyware on the victim\u2019s computer.<\/p>\n

The third part is called Helicona Files. It exploits a vulnerability in the XSLT processor<\/a> of the Mozilla Firefox browser to attack computers running Windows or Linux. Judging by this vulnerability, which affects Firefox versions 64 through 68, the spyware was developed quite some time ago and has been in use since at least 2018.<\/p>\n

6. Reign \u2014 QuaDream<\/h2>\n

Targeted OS:<\/strong><\/p>\n

iOS<\/p>\n

Zero-day vulnerability exploitation:<\/strong> Apple iOS<\/p>\n

Zero-click exploit use:<\/strong> yes<\/p>\n

Country of origin:<\/strong> Israel \/ Cyprus<\/p>\n

Alternative names:<\/strong> DEV-0196, Carmine Tsunami, InReach<\/p>\n

QuaDream is another Israeli company that develops spyware called Reign. It was founded by former employees of NSO Group, and the spyware they\u2019ve created bears a striking resemblance to Pegasus. For example, to infect iPhones with Reign spyware, they utilize a zero-click exploit similar to FORCEDENTRY, described above.<\/p>\n

Citizen Lab researchers have dubbed this exploit ENDOFDAYS<\/a>. Apparently, this exploit utilizes vulnerabilities in iCloud Calendar as the initial attack vector, enabling attackers to discreetly infect an iPhone by sending invisible malicious invitations to the calendar.<\/p>\n

As for the spying capabilities of the iOS version of Reign, the list looks impressive:\n<\/p>\n