Israel –based surveillance firm Candiru, also tracked as Sourgum, used Windows zero-days to deliver a new Windows spyware dubbed DevilsTongue.
According to the experts from Microsoft and Citizen Lab, at least 100 activists, journalists and government dissidents across 10 countries were targeted with Candiru’s spyware.
Microsoft published a post stating that they have taken his threat seriously and have disrupted the use of certain cyber weapons manufactured and sold by the group called Sourgum.
Candiru sells surveillance software exclusively to governments, its spyware could spy on iPhones, Androids, Macs, PCs, and cloud accounts.
According to the report published by Citizen Lab, they have worked with Microsoft Threat Intelligence Center (MSTIC) and analyzed the spyware, that lead to the discovery of CVE-2021-31979 and CVE-2021-33771 by Microsoft, two privilege escalation vulnerabilities exploited by Candiru.
Both these flaws have been patched by Microsoft on July 13th, 2021.
During the investigation, Microsoft observed at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include human rights defenders, dissidents, journalists, activists, and politicians.
Candiru’s spyware can be deployed through different vectors, including malicious links, man-in-the-middle attacks, and physical attacks. The firm also offers an infection vector named “Sherlock” that works on Windows, iOS, and Android. Citizen Labs experts believe that Sherlock may be a browser-based zero-click vector.
Using Internet scanning, researchers identified more than 750 websites belonging to Candiru’s spyware infrastructure. The company used domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society-themed entities.
DevilsTongue allows operators to spy on the victims, collect sensitive data, decrypt and steal Signal messages on Windows devices, steal info for major web browsers.
It could also send messages from logged-in email and social media accounts using the infected system. Operators could use this feature to send malicious messages to the victim’s contacts.
Candiru’s widespread presence, and the use of its surveillance technology against global civil society, is a reminder that the mercenary spyware industry contains many players and is prone to widespread abuse.