ESET researchers have discovered a new cyber campaign that used Candiru's malware, which is located in Tel Aviv, to target websites and services in various Middle Eastern nations, including Saudi Arabia and Iran.
Candiru, like NSO Group, distributes malware to government agencies, and the US placed it on trade backlists earlier this month, along with a Russian corporation and a Singapore-based company.
The latest offensive utilizes 'watering hole' attacks, in which attackers install malicious code on legitimate websites that the targets are likely to visit. When a user visits the page, the malware infects their computer, allowing attackers to eavesdrop on them or harm them in other ways.
According to ESET, the websites targeted were Middle East Eye, a London-based news organisation, and Almasirah, a Yemeni news agency linked to the Houthi rebels battling the Saudis.
Websites belonging to the Iranian foreign ministry, Yemen's finance and interior ministries, and Syria's energy ministry, as well as internet service providers in Syria and Yemen, were also targeted by the attackers.
Sites run by the Italian corporation Piaggio Aerospace, the pro-Iranian militant group Hezbollah, and The Saudi Reality, a Saudi Arabian dissident media website, were among the other targets.
The cybercriminals also established a website that appeared like a medical trade show in Germany, as per researchers. ESET estimates that certain visitors to these sites were targeted via a browser exploit, although they were unable to get the vulnerability or the payload.
ESET researcher Matthieu Faou who uncovered the cyber campaign, stated, "On July 11, 2020, our system notified us that the website of the Iranian embassy in Abu Dhabi had been tainted with malicious JavaScript code. Our curiosity was aroused by the high-profile nature of the targeted website, and in the following weeks we noticed that other websites with connections to the Middle East were also targeted."
The researchers have detected no activity from this operation since the end of July 2021, when Google, Citizen Lab, and Microsoft released blog articles outlining Candiru's actions - and about the same time that NSO Group became global news.
"The operators appear to be taking a pause, probably in order to retool and make their campaign stealthier," Faou continued.
Candiru, which has gone by numerous names since its debut in 2014, has a limited amount of information available. Saito Tech Ltd. is the company's current name, and it has several investors in common with NSO Group.
In July, Citizen Lab and Microsoft researchers stated that more than 100 journalists, politicians, human rights activists, and dissidents in several countries were targeted in a spyware operation that deployed sophisticated 'cyberweapons' created by Candiru,
Candiru, according to Citizen Lab, offers spyware to governments and authoritarian leaders only, who then use the tools to hijack PCs, Macs, phones, and cloud accounts.
Candiru's clients can attempt to breach an infinite number of devices for €16 million (£13.4 million), but they can only actively track 10 devices at a time, according to the Citizen Lab. Buyers may pay an extra €1.5 million (about £1.25 million) to have Candiru monitor an additional 15 victims.
