Israeli spyware vendor Candiru was targeting Journalists using a zero-day vulnerability in Google Chrome with the ‘DevilsTongue’ spyware.
Security researchers have linked the discovery of an actively exploited zero-day vulnerability in Google Chrome by an Israeli spyware maker targeting journalists in the Middle East.
The flaw tracked as CVE-2022-2294 is a high-severity heap-based buffer overflow in WebRTC, which, if successfully exploited, may lead to code execution on the target device.
In a report, Avast’s threat researchers say he discovered the vulnerability and reported it to Google. They also say that they observed Candiru spyware in March using the Chrome zero-day exploit for targeting individuals in Turkey, Yemen, and Palestine — as well as journalists in Lebanon, where Candiru compromised a website used by employees of a news agency.
The spyware operators employed common watering hole attack tactics, compromising a website their targets will visit and exploiting an unknown vulnerability in the browser to infect them with spyware.
In this type of attack, no interaction is required with the victim, such as clicking on a link or downloading something. It is needed only that they will open the site in Google Chrome or another Chromium-based browser and it will infect them by using the zero-day vulnerability.
While the sophisticated malware is capable of recording the victim’s webcam and microphone, keylogging, exfiltrating messages, browsing history, passwords, locations, and much more, it has also been observed attempting to escalate its privileges by installing a vulnerable signed kernel driver (“HW.sys“) containing a third zero-day exploit.
While U.S. Commerce Department in November 2021 Added Candiru, along with NSO Group, Computer Security Initiative Consultancy PTE. LTD., and Positive Technologies, to the entity list for engaging in “malicious cyber activities.”