Candiru Spyware Caught Exploiting Google Chrome Zero-Day to Target Journalists

The actively exploited but now-fixed Google Chrome zero-day flaw that came to light at the start of this month was weaponized by an Israeli spyware company and used in attacks targeting journalists in the Middle East.

Czech cybersecurity firm Avast linked the exploitation to Candiru (aka Saito Tech), which has a history of leveraging previously unknown flaws to deploy a Windows malware dubbed DevilsTongue, a modular implant with Pegasus-like capabilities.

Candiru, along with NSO Group, Computer Security Initiative Consultancy PTE. LTD., and Positive Technologies, were added to the entity list by the U.S. Commerce Department in November 2021 for engaging in “malicious cyber activities.”

“Specifically, a large portion of the attacks took place in Lebanon, where journalists were among the targeted parties,” security researcher Jan Vojtěšek, who reported the discovery of the flaw, said in a write-up. “We believe the attacks were highly targeted.”

The vulnerability in question is CVE-2022-2294, memory corruption in the WebRTC component of the Google Chrome browser that could lead to shellcode execution. It was addressed by Google on July 4, 2022. The same issue has since been patched by Apple and Microsoft in Safari and Edge browsers.

The findings shed light on multiple attack campaigns mounted by the Israeli hack-for-hire vendor, which is said to have returned with a revamped toolset in March 2022 to target users in Lebanon, Turkey, Yemen, and Palestine via watering hole attacks using zero-day exploits for Google Chrome.

The infection sequence spotted in Lebanon commenced with the attackers compromising a website used by employees of a news agency to inject malicious JavaScript code from an actor-controlled domain that’s responsible for redirecting potential victims to an exploit server.

Via this watering hole technique, a profile of the victim’s browser, consisting of about 50 data points, is created, including details like language, timezone, screen information, device type, browser plugins, referrer, and device memory, among others.

Avast assessed the information was gathered to ensure that the exploit was being delivered only to the intended targets. Should the collected data be deemed of value by the hackers, the zero-day exploit is then delivered to the victim’s machine over an encrypted channel.

The exploit, in turn, abuses the heap buffer overflow in WebRTC to attain shellcode execution. The zero-day flaw is said to have been chained with a sandbox escape exploit (that was never recovered) to gain an initial foothold, using it to drop the DevilsTongue payload.

While the sophisticated malware is capable of recording the victim’s webcam and microphone, keylogging, exfiltrating messages, browsing history, passwords, locations, and much more, it has also been observed attempting to escalate its privileges by installing a vulnerable signed kernel driver (“HW.sys“) containing a third zero-day exploit.

Earlier this January, ESET explained how vulnerable signed kernel drivers – an approach called Bring Your Own Vulnerable Driver (BYOVD) – can become unguarded gateways for malicious actors to gain entrenched access to Windows machines.

The disclosure comes a week after Proofpoint revealed that nation-state hacking groups aligned with China, Iran, North Korea, and Turkey have been targeting journalists to conduct espionage and spread malware since early 2021.