Candiru Spyware Caught Abusing Google Chrome Zero-Day To Target Journalists


Google Chrome’s actively exploited but now fixed zero-day flaw that came to light early this month was weaponized by an Israeli spyware company and used in attacks targeting journalists in the Middle East.

Czech cybersecurity firm Avast linked the exploit to Candiru (aka Saito Tech), which in the past used previously unknown flaws to create a Windows malware called DevilsTonguea modular implant with Pegasus-like capabilities.

Candiru, together with NSO Group, Computer Security Initiative Consultancy PTE. LTD., and Positive Technologies, were added to the list of entities by the US Department of Commerce in November 2021 for their participation in “malicious cyber activities.”

“In particular, a large proportion of the attacks took place in Lebanon, where journalists were among the targets,” security researcher Jan Vojtěšek, who reported the discovery of the flaw, said in a caption. “We think the attacks were very targeted.”

The vulnerability in question is CVE-2022-2294, memory corruption in the WebRTC part of the Google Chrome browser that can lead to shell code execution. It was addressed by Google on July 4, 2022. The same issue has since been fixed by Apple and Microsoft in Safari and Edge browsers.

The findings shed light on multiple attack campaigns launched by the Israeli hack-for-hire vendor, who reportedly returned in March 2022 with a revamped toolset to target users in Lebanon, Turkey, Yemen and Palestine via waterhole attacks with zero-day exploits for Google Chrome.

The infection chain spotted in Lebanon began when the attackers compromised a website used by news agency employees to inject malicious JavaScript code from an actor-managed domain responsible for redirecting potential victims to an exploit server.

This watering hole technique creates a profile of the victim’s browser consisting of approximately 50 data points, including details such as language, time zone, screen information, device type, browser plugins, referrer, and device memory.

Avast assessed that the information was collected to ensure that the exploit was delivered only to its intended targets. Should the collected data be considered valuable by the hackers, the zero-day exploit is delivered to the victim’s computer via an encrypted channel.

The exploit, in turn, abuses the heap buffer overflow in WebRTC to achieve shell code execution. The zero-day flaw would be linked to a sandbox escape exploit (which was never recovered) to gain a first foothold and use it to drop the DevilsTongue payload.

While the advanced malware is capable of recording victim’s webcam and microphone, keylogging, message exfiltration, browsing history, passwords, locations and much more, it has also been observed to attempt to escalate its privileges by using a vulnerable signed kernel driver (“HW.sys“) with a third zero-day exploit.

Earlier this January, ESET explained how vulnerable signed kernel drivers – an approach called Bring Your Own Vulnerable Driver (BYOVD) – can become unattended gateways for malicious actors to gain anchored access to Windows machines.

The revelation comes a week after Proofpoint revealed that nation-state hacking groups linked to China, Iran, North Korea and Turkey have been targeting journalists since early 2021 to carry out espionage and spread malware.