DevilsTongue spyware from Israeli company Candiru exploited Windows vulnerabilities

Sicherheit (Pexels, allgemeine Nutzung)[German]After I just reported about spy Trojans of the Israeli NSO Group on smartphones (see Pegasus spy software of NSO Group on many smartphones), I can also reveal the second case. The Israeli company Candiru exploited vulnerabilities in Windows to install their spyware called DevilsTongue. However, the vulnerabilities have been fixed in the meantime.


Advertising

Microsoft already made these facts public on July 15, 2021 in the blog post Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware. The Microsoft Threat Intelligence Center (MSTIC), along with the Microsoft Security Response Center (MSRC), discovered a private-sector offensive actor (PSOA) that Microsoft refers to as SOURGUM. This actor had knowledge of the now-patched Windows 0-day exploits (CVE-2021-31979 and CVE-2021-33771).

The security researchers at Citizen Lab naming in this blog post the Israeli company Candidru as the originator. Candiru, a company that operates away from the public eye, creates hacking tools that are used to break into computers and servers. 

Citizen Lab security researchers identified a politically active victim in Western Europe and recovered a copy of Candiru’s Windows spyware. Using Internet scans, security researchers identified more than 750 websites connected to Candiru’s spyware infrastructure. The researchers found many domains that posed as advocacy organizations of NGOs such as Amnesty International, the Black Lives Matter movement, as well as media companies and other civil society organizations, but delivered the Candiru spyware.

Apparently, political activists were to be scouted by the Candiru spying software, the security researchers conclude from the websites they found. A leaked Candiru project proposal published by TheMarker shows that Candiru’s spyware can be installed through a number of different vectors, including malicious links, man-in-the-middle attacks and physical attacks.  A vector called “Sherlock” is also offered, which supposedly works on Windows, iOS and Android. This may be a browser-based zero-click vector for attacks..

Spyware details

The Candiru spyware was persistently installed in Windows via COM hijacking of the following registry key:


Advertising

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Normally, the value of this registry key refers to the file wmiutils.dll (belongs to “Windows Management Instrumentation”). On the infected computer, the entry was modified to point to a malicious DLL file placed in the Windows system folder. The folder is associated with the Japanese input method (IMEJP)

C:\WINDOWS\system32\IMEJP\IMJPUEXP.DLL

This folder is harmless and included in a default Windows 10 installation, but IMJPUEXP.DLL is not the name of a legitimate Windows component.

Windows startup automatically loads Windows Management Instrumentation service, which looks up the DLL path in the registry key and then calls the DLL. This makes the spyware effective. Microsoft and Citizen Lab collaborated on the analysis, as you can read here. More than 100 victims of this spyware have been found worldwide, including politicians, human rights activists, journalists, academics, embassy staff and political dissidents. To curb these attacks, Microsoft has developed protections against this unique DevilsTongue spyware and integrated them into its products. The other antivirus vendors are also expected to detect the malware by now. In addition, Windows has been protected from the exploits used by a software update.

Citizen Lab spreads the details about the spyware in this article, which was probably not used directly by Candiru, but only sold to various customers. These then used the software to infect the victims mentioned above. The case, along with the Pegasus spyware case, shows that things have long since gotten out of hand.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *