On July 15th, 2021 Citizen Lab released an article claiming that Candiru, an Israel-based company, sells spyware to governments that reportedly can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts. Microsoft is calling the threat actor SOURGRUM. More than 750 websites were linked to Candiru’s spyware infrastructure that Microsoft is calling DevilsTongue. Two privilege escalation vulnerabilities affecting Microsoft Windows, CVE-2021-31979 and CVE-2021-33771, were exploited by Candiru. Microsoft patched both vulnerabilities on July 13th, 2021.
DevilsTongue also exploited CVE-2021-21166 and CVE-2021-30551 in Chrome, and CVE-2021-33742 in Internet Explorer. These vulnerabilities were said to be patched in a post from Google’s Threat Analysis Group on July 14th, 2021. Google also released details about an unrelated remote-code execution flaw in Safari’s WebKit engine following the detection of these vulnerabilities.
At least 100 victims including human rights defenders, dissidents, journalists, activists, and politicians were targeted in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims were lured to websites that analyzed their screen resolution, timezone, supported languages, browser plugins, and available MIME types to decide whether or not to compromise their browser.
Analyst Notes
While activists, journalists, and government employees should take extraordinary precautions to avoid advanced malware, everyone should be aware of more common malware that targets smart phones to steal 2FA codes sent via text message, or transfer money from online banking accounts. To avoid compromise from browser exploits, it is recommended to use an isolated environment such as a virtual machine when trying to open links from untrusted parties. Microsoft notes that using a modern version of Windows 10 with virtualization-based protections prevents DevilsTongue’s Local Security Authority Subsystem Service (LSASS) credential-stealing capabilities and that Microsoft Defender Antivirus detects DevilsTongue malware with the following detections:
• Trojan:Win32/DevilsTongue.A!dha
• Trojan:Win32/DevilsTongue.B!dha
• Trojan:Script/DevilsTongueIni.A!dha
• VirTool:Win32/DevilsTongueConfig.A!dha
• HackTool:Win32/DevilsTongueDriver.A!dha
https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/
https://www.theregister.com/2021/07/16/microsoft_candiru_malware/?&web_view=true
