Skip links

Chrome zero-day used to infect journalists with Candiru spyware



The Israeli spyware vendor Candiru was found using a zero-day vulnerability in Google Chrome to spy on journalists and other high-interest individuals in the Middle East with the ‘DevilsTongue’ spyware.

The flaw tracked as CVE-2022-2294 is a high-severity heap-based buffer overflow in WebRTC, which, if successfully exploited, may lead to code execution on the target device.

When Google patched the zero-day on July 4th, it disclosed that the flaw was under active exploitation but provided no further details.

In a report published earlier today, Avast’s threat researchers, who discovered the vulnerability and reported it to Google, reveal that they unearthed it after investigating spyware attacks on their clients.

Multiple campaigns and delivery methods

According to Avast, Candiru began exploiting CVE-2022-2294 in March 2022, targeting users in Lebanon, Turkey, Yemen, and Palestine.

The spyware operators employed common watering hole attack tactics, compromising a website their targets will visit and exploiting an unknown vulnerability in the browser to infect them with spyware.

This attack is particularly nasty because it requires no interaction with the victim, such as clicking on a link or downloading something. Instead, all that’s needed is for them to open the site in Google Chrome or another Chromium-based browser.

These websites can either be legitimate ones that were somehow compromised or created by the threat actors and promoted via spear phishing or other methods.

In one case, the attackers compromised a website used by a news agency in Lebanon and planted JavaScript snippets that enabled XXS (cross-site scripting) attacks and rerouted valid targets to the exploit server.

Injected code to load JavaScript from a remote resource (Avast)

Once the victims reached the server, they were profiled in great detail using about 50 data points. If the target was deemed valid, encrypted data exchange was established for the zero-day exploit to take place.

“The collected information includes the victim’s language, timezone, screen information, device type, browser plugins, referrer, device memory, cookie functionality, and more,” explains Avast’s report.

In the Lebanon case, the zero-day enabled the actors to achieve shellcode execution inside a renderer process and was further chained with a sandbox escape flaw that Avast couldn’t recover for analysis.

Because the flaw was located in WebRTC, it also affected Apple’s Safari browser. However, the exploit seen by Avast only worked on Windows.

After the initial infection, DevilsTongue used a BYOVD (“bring your own driver”) step to elevate its privileges and gain read and write access to the compromised device’s memory.

One of the vulnerable IOCTL handlers used in the BYOVD exploit (Avast)

Interestingly, Avast discovered that the BYOVD used by Candiru was also a zero-day, and even if the vendor pushes a security update, it won’t help against the spyware because the vulnerable version comes bundled with it.

While it is not clear what data the attackers were targeting, Avast believes the threat actors used it to learn more about what news stories the targeted journalist was researching.

“We can’t say for sure what the attackers might have been after however, often, the reason why attackers go after journalists is to spy on them and the stories they’re working on directly or to get to their sources and gather compromising information and sensitive data they shared with the press.” – Avast.

The ongoing spyware threat

Commercial spyware vendors are known for developing or buying zero-day exploits to attack persons of interest for their clients.

The last time Candiru was exposed by Microsoft and Citizen Lab, the firm retracted all DevilsTongue operations and worked in the shadow to implement new zero-days, as Avast now reveals.

Unfortunately, this also means that the same will happen again, so even if you apply security updates immediately, it doesn’t make you immune to commercial spyware.

To tackle this problem, Apple plans to introduce a new iOS 16 feature called ‘Lockdown Mode,’ which limits the device’s features and functionality to prevent sensitive data leaks or minimize the implications of a spyware infection.

Adblock test (Why?)