Not all malware variants are available on underground darknet markets. Some criminal syndicates design and supply them, especially for state-sponsored cyberattacks. In a recent investigation, security researchers identified new spyware created by Candiru (also known as SOURGUM), an Israel-based mercenary spyware vendor, to target Windows systems, iPhones, Macs, Android platforms, and cloud networks across the globe. The vendor is reportedly trading various cyberweapons to state-sponsored actors and government agencies in hacking-as-a-service packages.
A joint investigation by Citizenlab and Microsoft Threat Intelligence Center (MSTIC) identified the Windows spyware, tracked as DevilsTongue, exploiting two windows zero-day vulnerabilities listed as CVE-2021-31979 and CVE-2021-33771. If exploited, the vulnerabilities could give a remote attacker privilege escalation access by evading browser sandboxes and gain kernel code execution.
Microsoft has fixed the bugs in its July 2021 security update.
The spyware also targeted more than 100 victims, including politicians, journalists, academics, embassy workers, human rights activists, and political dissidents. Adversaries leveraged different browsers and Windows exploits to deploy malware on the targeted systems. They sent malicious single-use URLs to targets via messaging services like WhatsApp. Most of DevilsTongue’s victims are located in Palestine, followed by Israel, Yemen, Iran, Lebanon, Spain, the U.K., Turkey, Armenia, and Singapore.
Citizenlab stated that Candiru’s Windows payload poses a variety of features such as exfiltrating files; stealing cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers; and exporting all messages saved in messaging apps.
Microsoft claimed that it has implemented necessary security measures to protect its products from this highly sophisticated spyware.
“We have shared these protections with the security community so that we can collectively address and mitigate this threat. We have also issued a software update that will protect Windows customers from the associated exploits that the actor used to help deliver its highly sophisticated malware,” Microsoft said.
Candiru’s Corporate Structure
According to Citizenlab, Candiru was founded in 2014 and is known to have changed its identity several times. While the company presently operates under the name Saito Tech Ltd., it has been functional under multiple identities, such as DF Associates in 2017, Grindavik Solutions in 2018, and Taveta in 2019. The company provides various criminal services like custom malware distribution and cyber espionage (computers, mobile devices, and cloud accounts) by keeping its operations, infrastructure, and staff identities in stealth mode. Candiru has clients in Europe, the Persian Gulf, the former Soviet Union, Asia, and Latin America.
The researchers found over 750 websites linked to Candiru’s spyware infrastructure, many of which impersonated several legitimate domains of social welfare and advocacy agencies like Amnesty International and Black Lives Matter.