Microsoft and digital rights watchdog Citizen Lab have released two separate reports detailing a never-before-seen spyware named DevilsTongue that leveraged zero-day vulnerabilities in browsers and Windows operating system in attacks targeting "politicians, human rights activists, journalists, academics, embassy workers, and political dissidents."
Microsoft said it detected hacking attempts on more than 100 victims in Palestine, Israel, Iran, Lebanon, Spain, UK, Turkey, Armenia, and Singapore. Citizen Lab said it was able to identify and reach out to a victim who let its researchers analyze their computer and extract the malware.
Citizen Lab concluded that the malware and the zero-day exploits were developed by the Tel Aviv-based spyware maker Candiru (Microsoft tracks the activity as SOURGUM) that sells spyware exclusively to governments. Reportedly, their spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts. Citizen Lab said it was able to identify more than 750 websites linked to Candiru’s spyware infrastructure, many of which were disguised as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.
While analyzing the malware Microsoft Threat Intelligence Center (MSTIC) discovered two zero-day flaws (CVE-2021-31979 and CVE-2021-33771), both of which have been fixed as part of July 2021 Patch Tuesday. These vulnerabilities allow privilege escalation, giving an attacker the ability to escape browser sandboxes and gain kernel code execution.
According to Microsoft, DevilsTongue is a complex modular multi-threaded piece of malware written in C and C++ with several novel capabilities. The company said it is still analyzing some of its components and capabilities.
“The main functionality resides in DLLs that are encrypted on disk and only decrypted in memory, making detection more difficult. Configuration and tasking data is separate from the malware, which makes analysis harder. DevilsTongue has both user mode and kernel mode capabilities. There are several novel detection evasion mechanisms built in. All these features are evidence that SOURGUM developers are very professional, have extensive experience writing Windows malware, and have a good understanding of operational security,” Microsoft researchers said.
MSTIC found Candiru using a chain of browser and Windows exploits to deploy the malware on targeted victims. The browser exploits were delivered via single-use URLs sent via WhatsApp messages.
The Citizen Lab’s report describes Candiru as “a mercenary spyware firm that markets “untraceable” spyware to government customers.” Founded in 2014, the company has undergone several name changes.
“Like many mercenary spyware corporations, the company reportedly recruits from the ranks of Unit 8200, the signals intelligence unit of the Israeli Defence Forces,” the report said.
The company’s exploits have been linked to APT’s attacks observed in Uzbekistan, Saudi Arabia and the United Arab Emirates (UAE), Singapore and Qatar.
“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices. With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only adds to the complexity, scale, and sophistication of attacks,” Microsoft noted.