16 July 2021

Israeli spyware vendor caught using Windows zero-days to hack politicians, dissidents


Israeli spyware vendor caught using Windows zero-days to hack politicians, dissidents

Microsoft and digital rights watchdog Citizen Lab have released two separate reports detailing a never-before-seen spyware named DevilsTongue that leveraged zero-day vulnerabilities in browsers and Windows operating system in attacks targeting "politicians, human rights activists, journalists, academics, embassy workers, and political dissidents."

Microsoft said it detected hacking attempts on more than 100 victims in Palestine, Israel, Iran, Lebanon, Spain, UK, Turkey, Armenia, and Singapore. Citizen Lab said it was able to identify and reach out to a victim who let its researchers analyze their computer and extract the malware.

Citizen Lab concluded that the malware and the zero-day exploits were developed by the Tel Aviv-based spyware maker Candiru (Microsoft tracks the activity as SOURGUM) that sells spyware exclusively to governments. Reportedly, their spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts. Citizen Lab said it was able to identify more than 750 websites linked to Candiru’s spyware infrastructure, many of which were disguised as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.

While analyzing the malware Microsoft Threat Intelligence Center (MSTIC) discovered two zero-day flaws (CVE-2021-31979 and CVE-2021-33771), both of which have been fixed as part of July 2021 Patch Tuesday. These vulnerabilities allow privilege escalation, giving an attacker the ability to escape browser sandboxes and gain kernel code execution.

According to Microsoft, DevilsTongue is a complex modular multi-threaded piece of malware written in C and C++ with several novel capabilities. The company said it is still analyzing some of its components and capabilities.

“The main functionality resides in DLLs that are encrypted on disk and only decrypted in memory, making detection more difficult. Configuration and tasking data is separate from the malware, which makes analysis harder. DevilsTongue has both user mode and kernel mode capabilities. There are several novel detection evasion mechanisms built in. All these features are evidence that SOURGUM developers are very professional, have extensive experience writing Windows malware, and have a good understanding of operational security,” Microsoft researchers said.

MSTIC found Candiru using a chain of browser and Windows exploits to deploy the malware on targeted victims. The browser exploits were delivered via single-use URLs sent via WhatsApp messages.

The Citizen Lab’s report describes Candiru as “a mercenary spyware firm that markets “untraceable” spyware to government customers.” Founded in 2014, the company has undergone several name changes.

“Like many mercenary spyware corporations, the company reportedly recruits from the ranks of Unit 8200, the signals intelligence unit of the Israeli Defence Forces,” the report said.

The company’s exploits have been linked to APT’s attacks observed in Uzbekistan, Saudi Arabia and the United Arab Emirates (UAE), Singapore and Qatar.

“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices. With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only adds to the complexity, scale, and sophistication of attacks,” Microsoft noted.

Back to the list

Latest Posts

Iranian hackers masqueraded as aerobics instructor to breach US defence company

Iranian hackers masqueraded as aerobics instructor to breach US defence company

The threat actor used alluring social media persona to infect the machine of an employee of the US aerospace defense contractor with the LEMPO malware.
29 July 2021
US, UK and Australia reveal most targeted vulnerabilities in the last two years

US, UK and Australia reveal most targeted vulnerabilities in the last two years

CVE-2019-19781 was the most exploited flaw in 2020.
29 July 2021
Chinese cyberspies target Microsoft Exchange servers with new PlugX variant

Chinese cyberspies target Microsoft Exchange servers with new PlugX variant

The latest version of PlugX has a variety of plug-ins that allow hackers to monitor, update and interact with the compromised system.
29 July 2021