Israeli firm Candiru exploited Windows zero-days to deploy spyware

Candiru, an Israeli surveillance company also known as Sourgum, used Windows zero-day exploits to release DevilsTongue, a new Windows malware.


According to Microsoft and Citizen Lab researchers, Candiru’s spyware targeted at least 100 activists, journalists, and government dissidents in ten nations.


In a blog post, Microsoft stated that they had taken his warning seriously and have prohibited the usage of certain cyber weapons created and supplied by the Sourgum organization.


Candiru is a company that offers surveillance software to governments exclusively.


Its spyware can monitor iPhones, Androids, Macs, PCs, and cloud accounts.


Citizen Lab partnered with Microsoft Threat Intelligence Center (MSTIC) and evaluated the malware, which led to Microsoft discovering CVE-2021-31979 and CVE-2021-33771, two privilege escalation vulnerabilities exploited by Candiru, according to the report.


Microsoft fixed each of these vulnerabilities on July 13th, 2021.


Microsoft discovered at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia, and Singapore throughout the investigation.


Human rights activists, dissidents, journalists, activists, and politicians are among the victims.


Candiru’s spyware is distributed by various methods, including malicious URLs, man-in-the-middle attacks, and physical attacks.


The company also offers a “Sherlock” infection vector that works on Windows, iOS, and Android. Sherlock, according to Citizen Labs scientists, might be a browser-based zero-click vector.


Researchers discovered more than 750 websites belonging to Candiru’s spyware infrastructure using Internet scanning.


The firm used domains that looked like Amnesty International, the Black Lives Matter movement, media companies, and other civil-society-related entities.


Operators can use DevilsTongue to spy on victims, capture sensitive data, decode and intercept Signal messages on Windows devices, and steal information from major web browsers.


It might also use the infected system to send messages from logged-in email and social media accounts.


This feature could be exploited by operators to send malicious messages to the victim’s contacts.


Candiru’s widespread presence, as well as its exploitation of surveillance technology against global civil society, serves as a reminder that the mercenary spyware industry is riddled with operators and vulnerable to widespread abuse.



You might also like:


Trickbot makes a comeback with its VNC module for high-value targets

REvil ransomware gang’s websites shut down: Report

Magecart hackers hide stolen credit card data into images and fake CSS files