Avast experts have discovered that the DevilsTongue spyware, created by the Israeli company Candiru, has exploited a zero-day vulnerability in Google Chrome to spy on journalists and others in the Middle East.
The vulnerability in question is flaw CVE-2022-2294, which was fixed by Google and Apple engineers earlier this month. The vulnerability is known to be a buffer overflow in the WebRTC component and was first reported by IS expert Jan Wojtisek of the Avast Threat Intelligence team. At the time, it was already known that the flaw had been exploited in real attacks, but no details were disclosed.
As Avast experts now tell us, the vulnerability was discovered after investigating a spyware attack on one of the company's customers. According to the experts, Candiru started using CVE-2022-2294 in March 2022, attacking users in Lebanon, Turkey, Yemen and Palestine.
The spyware operators used standard irrigation tactics for this type of campaign. The term refers to attacks similar to the tactics of predators hunting in a pool of water, waiting for their prey, animals that have been watered down. Typically, this means that attackers insert malicious code into legitimate sites, where it awaits victims.
In this case, by compromising a site, the hackers hoped that their targets would visit it using a browser vulnerable to CVE-2022-2294. In one case, the website of an unidentified news agency in Lebanon was compromised by embedding JavaScript that allowed XXS attacks and redirecting the victim to a server with an exploit.
The attack was particularly nasty because it required no interaction with the victim (such as clicking on a link or downloading anything). Simply opening a malicious site in Google Chrome or another Chromium-based browser (including Edge and Safari, since the vulnerability was linked to WebRTC) was enough to compromise it.
To ensure that only the right people were targeted, the hackers created profiles of the victims, collecting a wealth of data, such as information about system language, time zone, screen size, device type, browser plugins, device memory, cookies, and more.
It should also be noted that in the case of the Lebanon attacks, the 0-day not only allowed attackers to execute shellcode within the rendering process, but was also tied to some sort of sandbox escape vulnerability that Avast was unable to recreate for analysis.
When the DevilsTongue malware finally infiltrated the victim's system, it attempted to elevate privileges by installing a Windows driver that contained another unpatched vulnerability. Therefore, the total number of 0-day bugs involved in this campaign was at least three.
Once the driver was installed, Devils Tongue exploited a security flaw to access the kernel, the most sensitive part of any operating system. Researchers call this attack method BYOVD - bring your own vulnerable driver. It allows the malware to bypass operating system security because most drivers automatically access the operating system kernel.
"We don't know exactly what the attackers are looking for, but they often target journalists to spy on them and the material they are working on, or to get to their sources, and to collect dirty information and sensitive data that they have shared with the press," Avast experts say.
Recall that the DevilsEye spyware, developed by the Israeli company Candiru and then sold to governments around the world, was described in detail last year by Microsoft and Citizen Lab. It was already known then that politicians, human rights activists, journalists, scientists, embassies and political dissidents from various countries around the world were suffering from this malware attack.
