Israeli-made spyware is again in the headlines. The last fallout resulted from the NSO group’s use of Pegasus which was used to track politicians, journalists, political dissidents, and political rivals, as long as the customer could pay for the service. As to the vetting of customers, it could be argued that little was done in this regard and the only requirement was whether the customer be they a dictator or unscrupulous politician could afford the spyware services offered by NSO. Now another Israeli firm has been caught using spyware to spy on journalists.
According to a recent blog post published by Avast, Candiru another provider of spyware-as-a-service has been seen exploiting a zero-day in Google’s Chrome browser to target journalists throughout the Middle East.
Briefly, Candiru was exposed in 2021 by both Microsoft and Citizen Lab after which the group seemed to take a brief hiatus to work on developing their malware to evade more modern detection tactics. In March 2022, Candiru was detected attacking Avast customers based in Lebanon.
The vulnerability in question was made public knowledge by Google on July 4, 2022, when the tech giant announced four patchers were released for just as many vulnerabilities.
The vulnerability in question, CVE-2022-2294, when exploited abuses a heap buffer overflow in WebRTC to achieve shellcode execution inside a renderer process.
Unfortunately, for Avast researchers, the zero-day was chained with a sandbox escape exploit which made attaining a sample of the malware difficult.
Google was sent proof-of-concept code related to the exploit. Researchers further noted,
“While the exploit was specifically designed for Chrome on Windows, the vulnerability’s potential was much wider. Since the root cause was located in WebRTC, the vulnerability affected not only other Chromium-based browsers (like Microsoft Edge) but also different browsers like Apple’s Safari. We do not know if Candiru developed exploits other than the one targeting Chrome on Windows, but it’s possible that they did. Our Avast Secure Browser was patched on July 5. Microsoft adopted the Chromium patch on July 6, while Apple released a patch for Safari on July 20. We encourage all other WebRTC integrators to patch as soon as possible.”
The main payload that was dropped after successful exploitation is Devil’s Tongue, a feature-rich spyware purpose-built for that task. The malware is capable of file collection, registry querying, running WMI commands, and querying SQLite databases.
It’s capable of stealing victim credentials from both LSASS and browsers, such as Chrome and Firefox. It also has dedicated functionality to decrypt and exfiltrate conversations from the Signal messaging app.
Microsoft researchers shed some more light on the malware, saying,
“DevilsTongue is a complex modular multi-threaded piece of malware written in C and C++ with several novel capabilities…For files on disk, PDB paths and PE timestamps are scrubbed, strings and configs are encrypted, and each file has a unique hash. The main functionality resides in DLLs that are encrypted on disk and only decrypted in memory, making detection more difficult. Configuration and tasking data is separate from the malware, which makes analysis harder. DevilsTongue has both user mode and kernel mode capabilities. There are several novel detection evasion mechanisms built in. All these features are evidence that SOURGUM [Microsoft’s tracking name for Candiru activity] developers are very professional…”
Devil’s Tongue was attributed to Candiru through research done by Citizen Lad, who noted that attributing the malware came down to an operational security mistake. Researchers noted,
“Using Censys, we found a self-signed TLS certificate that included the email address ‘amitn@candirusecurity[.]com’. We attributed the candirusecurity[.]com domain name to Candiru Ltd, because a second domain name (verification[.]center) was registered in 2015 with a candirusecurity[.]com email address and a phone number (+972-54-2552428) listed by Dun & Bradstreet as the fax number for Candiru Ltd, also known as Saito Tech Ltd.”
As for the targets of this campaign, Avast noted that a website used by employees of a news agency was compromised to deliver the payload.
The exact reason as to way journalists for that particular news agency are being targeted is not known, but traditionally the reason why attackers go after journalists is to spy on them and the stories they’re working on directly, or to get to their sources and gather compromising information and sensitive data they shared with the media.
Given that once again journalists are in the crosshairs of spyware developed to generate profit, the dangers of such malware use to civil society are once again highlighted.
Unfortunately, this case demonstrates, yet again, that because of the absence of any international safeguards or strong government export controls, spyware vendors will sell to unscrupulous clients who will routinely abuse the power bestowed with them and the spyware itself.
This tends to be ignored by companies like Candiru as the money keeps flowing into their bank accounts. To make matters worse, many governments are eager to acquire sophisticated surveillance technologies resulting in little will on the part of governments to create international safeguards for civil society.