An Israeli spyware outfit turned the actively exploited, but now patched, Google Chrome zero-day issue into a weapon that it deployed to assault Middle Eastern journalists.
The exploitation was connected to Candiru (aka Saito Tech) by the Czech cybersecurity company Avast. Candiru has a history of using previously undiscovered holes to spread the Windows malware known as DevilsTongue, a modular implant with Pegasus-like capabilities.
The U.S. Commerce Department added Candiru, NSO Group, Computer Security Initiative Consultancy PTE. LTD., and Positive Technologies to the entity list in November 2021 for participating in “malicious cyber activity.”
Security researcher Jan Vojtěšek , who announced the discovery of the issue, wrote in a study that “specifically, a substantial portion of the attacks took place in Lebanon, where journalists were among the targeted parties.” We think the attacks were well-targeted.
The vulnerability in question is CVE-2022-2294, which involves memory corruption in the Google Chrome browser’s WebRTC component that could result in the execution of shellcode. Google responded on July 4, 2022. Since then, Apple and Microsoft have corrected the same problem in their Safari and Edge browsers.
The results shed light on many assault campaigns carried out by the Israeli hacker-for-hire vendor, who is alleged to have returned in March 2022 with a retooled toolkit to target users in Lebanon, Turkey, Yemen, and Palestine via watering hole attacks employing zero-day exploits for Google Chrome.
In order to inject malicious JavaScript code from an actor-controlled domain that directs potential victims to an exploit server, the attackers had to infect a website that was being accessed by staff members of a news agency. This was the first step in the infection sequence discovered in Lebanon.
A profile of the victim’s browser is built using this watering hole technique, comprising of roughly 50 data points, including information on the language used, time zone, screen information, device kind, browser plugins, referrer, and device memory, among other things.
Avast examined the data acquired to make sure the exploit was being sent solely to the targeted recipients. If the hackers decide that the data they have gathered is valuable, they then transmit the zero-day vulnerability to the victim’s computer using an encrypted route.
In turn, the exploit takes advantage of WebRTC’s heap buffer overflow to execute shellcode. The DevilsTongue payload is alleged to have been dropped using the zero-day vulnerability after it had been chained with a sandbox escape exploit (that was never retrieved).
The sophisticated malware has been seen trying to increase its privileges by installing a vulnerable signed kernel driver (“HW.sys”) containing a third zero-day exploit, despite being capable of recording the victim’s webcam and microphone, keylogging, exfiltrating messages, browsing history, passwords, locations, and much more.
Back in January, ESET described how Bring Your Own Vulnerable Driver (BYOVD)-style vulnerable signed kernel drivers might serve as unprotected entry points for malicious actors seeking to establish a foothold on Windows systems.
The information was made public a week after Proofpoint said that since early 2021, nation-state hacking groups affiliated with China, Iran, North Korea, and Turkey had been focusing on journalists in order to conduct espionage and disseminate malware.
