Following Microsoft, Google and Citizen Lab, another revelation came from Avast researchers. They discovered that the Israeli spyware Candiru used a 0-day vulnerability in Google Chrome. Their main target was spying on journalists and others in the Middle East using DevilsTongue software. After getting a slap from Citizen Lab, developer of a wide range of operations with DevilsTongue goes into the shadow. As it turned out, they took a pause to retool their arsenal.
Candiru malware strikes through CVE-2022-2294
The choices were CVE-2022-2294, which is a serious heap buffer overflow in WebRTC, and if successful, may look to RCE on the target image. The patch for the bug, as we reported earlier, was published by Google on July 4, but the details of the operation of 0-day were not disclosed then. Now they are presented in the Avast report.
Candiru began exploiting the vulnerability in March 2022, targeting and releasing targets in Lebanon, Turkey, Yemen. Spyware operators used a watering hole attack strategy, compromising the target sites or creating new ones. Then, victims were visiting these sites, usually after spear phishing or other exploits. Using Chrome or Chromium-based browsers was a main term for hackers to succeed.
After the initial injection, DevilsTongue used BYOVD1 to elevate privileges and gain read and write access to the compromised device’s memory. Researchers determined that BYOVD, the presence of Candiru, was also a 0-day. The problem is that it is likely impossible to fix it even with an update. The researchers did not find the exact ultimate strategic target of the detected campaign. Analysts assume that the attack was aiming at certain persons and their personal information.
About Candiru spyware group
That is not the first case of government-backed malware with origins in Israel. After the appearance in 2014, it applied a Software-As-A-Service model, offering its spyware for 15% comission. Still, its recognition is still pretty low, and it hides in the shadow of infamous Pegasus spyware. The latter serves dozens of governments all over the world, is the most notable one. But who knows how many examples actually exist, but have never ever appeared in public? And this trend will likely continue while an open confrontation between different countries exists. Israel keeps its tensions with neighbours, the Russo-Ukrainian war is far from its end. The South Asian region also looks like a gunpowder keg. And the temptation to spy on someone always follows political tensions of this sort.