Candiru, an Israeli monitoring outfit, used the newly patched CVE-2022-2294 Chrome zero-day in assaults on journalists.
Avast researchers claimed that the DevilsTongue malware, manufactured by Israeli surveillance business Candiru, was utilised in attacks on journalists in the Middle East and exploited the newly resolved CVE-2022-2294 Chrome zero-day vulnerability.
The issue, which Google addressed on July 4, 2022, is a heap buffer overflow in the Web Real-Time Communications (WebRTC) component; it is Google's fourth zero-day patch in 2022.
The majority of the assaults discovered by Avast researchers occurred in Lebanon, and threat actors employed various attack chains to target journalists.
Since March 2022, further infections have been detected in Turkey, Yemen, and Palestine.
In one case, threat actors carried out a watering hole assault by hacking a website frequented by news agency staff.
The researchers discovered artefacts associated with exploitation attempts for an XSS flaw on the website.
The sites contained calls to the Javascript function "alert" as well as terms like "test," implying that the attackers were testing the XSS vulnerability before abusing it to inject the loader for a malicious Javascript from an attacker-controlled domain (i.e. stylishblock[.]com).
This injected code was used to send victims to the exploit server via a chain of domains controlled by the attacker.
Once the victim arrives at the exploit server, the code written by Candiru collects further information about the target machine, and the exploit is utilised to distribute the spyware only if the obtained data satisfies the exploit server.
“While the exploit was specifically designed for Chrome on Windows, the vulnerability’s potential was much wider. Since the root cause was located in WebRTC, the vulnerability affected not only other Chromium-based browsers (like Microsoft Edge) but also different browsers like Apple’s Safari.” reads the analysis published by Avast.
“We do not know if Candiru developed exploits other than the one targeting Chrome on Windows, but it’s possible that they did.”
The zero-day was linked to a sandbox escape vulnerability, but specialists could not retrieve it owing to malware protection.
After gaining access to the victim's computer, the DevilsTongue malware attempts to escalate its privileges by exploiting another zero-day vulnerability.
In a BYOVD (Bring Your Own Vulnerable Driver) way, the malicious software attacks a valid signed kernel driver. To exploit the driver, it must first be dropped to the filesystem; experts noted that this may be exploited.
“While there is no way for us to know for certain whether or not the WebRTC vulnerability was exploited by other groups as well, it is a possibility. Sometimes zero-days get independently discovered by multiple groups, sometimes someone sells the same vulnerability/exploit to multiple groups, etc. But we have no indication that there is another group exploiting this same zero-day.” concludes the report.
