Following Microsoft, Google and Citizen Lab, another revelation came from Avast researchers. They discovered that the Israeli spyware Candiru used a 0-day vulnerability in Google Chrome. Their main target was spying on journalists and others in the Middle East using DevilsTongue software. After getting a slap from Citizen Lab, developer of a wide range of operations with DevilsTongue goes into the shadow. As it turned out, they took a pause to retool their arsenal.
Candiru malware strikes through CVE-2022-2294
The choices were CVE-2022-2294, which is a serious heap buffer overflow in WebRTC, and if successful, may look to RCE on the target image. The patch for the bug, as we reported earlier, was published by Google on July 4, but the details of the operation of 0-day were not disclosed then. Now they are presented in the Avast report.
Candiru began exploiting the vulnerability in March 2022, targeting and releasing targets in Lebanon, Turkey, Yemen. Spyware operators used a watering hole attack strategy, compromising the target sites or creating new ones. Then, victims were visiting these sites, usually after spear phishing or other exploits. Using Chrome or Chromium-based browsers was a main term for hackers to succeed.
In one case, the infiltrators hacked into the website of a news agency in Lebanon. Then, they managed to inject JavaScript snippets that enabled the XSS attack. The victims were redirected to a server with an exploit. After that, hackers profiled that and got into their devices. They collected information about the language set, time zone, screen, device type, browser applications, device memory, functionality, cookies, and more. In the case of Lebanon, exploiting a 0-day shellcode capture action detection inside the render process and implementing a sandbox exit vulnerability. However, it refused to reproduce at the research. It is worth noting that the exploit worked only in the Windows environment.
Further actions
After the initial injection, DevilsTongue used BYOVD1 to elevate privileges and gain read and write access to the compromised device’s memory. Researchers determined that BYOVD, the presence of Candiru, was also a 0-day. The problem is that it is likely impossible to fix it even with an update. The researchers did not find the exact ultimate strategic target of the detected campaign. Analysts assume that the attack was aiming at certain persons and their personal information.
About Candiru spyware group
That is not the first case of government-backed malware with origins in Israel. After the appearance in 2014, it applied a Software-As-A-Service model, offering its spyware for 15% comission. Still, its recognition is still pretty low, and it hides in the shadow of infamous Pegasus spyware. The latter serves dozens of governments all over the world, is the most notable one. But who knows how many examples actually exist, but have never ever appeared in public? And this trend will likely continue while an open confrontation between different countries exists. Israel keeps its tensions with neighbours, the Russo-Ukrainian war is far from its end. The South Asian region also looks like a gunpowder keg. And the temptation to spy on someone always follows political tensions of this sort.