DevilsTongue Spyware Detection

July 22, 2021 · 5 min read
DevilsTongue Detection

Israeli spyware firm Candiru supplied zero-day exploits to the nation-baked actors globally, Microsoft and Citizen Lab revealed. According to the analysis, Candiru leveraged previously unknown zero-day bugs in Windows and Chrome to power its high-end spyware dubbed DevilsTongue. Although DevilsTongue was marketed as a “mercenary software” facilitating surveillance operations for government agencies, it was identified as a primary tool used by APT actors in their malicious operations across Uzbekistan, Saudi Arabia, the United Arab Emirates (UAE), Singapore, and Qatar.

Who Is Candiru?

Candiru (also known as Sourgum) is a covert Israel-based spyware firm that officially supplies surveillance tools to government clients. According to the in-depth investigation from Citizen Lab, Candiru’s spyware enables infection and secret monitoring across a variety of devices, including mobile, desktop, and cloud accounts.

The firm was established back in 2014 and has undergone multiple name changes to stay in shadow and avoid public scrutiny. Currently, the vendor calls itself Saito Tech Ltd, however, it is still tracked as Candiru, which is the most well-known of its names. 

The tools and exploits supplied by Candiru were first detected in 2019 during a government hacking campaign in Uzbekistan. The firm was secretly providing its exploit packages to power the attacks against journalists, government representatives, and dissidents.

Candiru’s infrastructure has been growing since then. Currently, Citizen Labs identifies over 750 compromised web pages linked to the malicious ecosystem, including many domains disguised as international advocacy organizations or media vendors.

The research from Microsoft says that apart from government surveillance campaigns, APT actors also leveraged the notorious spyware. In fact, more than 100 victims were identified across the Middle East, Europe, and Asia, most of them being human rights activists, dissidents, and politicians. 

What is DevilsTongue?

DevilsTongue is a primary Candiru product described as a sophisticated multifunctional malicious strain coded in C and C++. Analysis of the attack kill chain shows that the spyware is typically delivered with the help of vulnerabilities present in Windows and Google Chrome. Particularly, Microsoft experts identified that Candiru leveraged two privilege escalation flaws (CVE-2021-31979, CVE-2021-33771) present in Windows NT-based operating system (NTOS). Successful exploitation of these security holes allowed DevilsTongue users to elevate their privileges on the compromised system without being captured by sandboxes and gain kernel code execution. Both vulnerabilities were investigated and patch by the vendor in July 2021. Also, researchers track the exploitation of CVE-2021-33742 in Internet Explorer’s MSHTML scripting engine, which has also been patched.

The research from Google confirms that Candiru maintainers also used Chrome zero-days to boost its attack capabilities. Particularly, CVE-2021-21166 and CVE-2021-30551 in Chrome were chained with previously described Windows issues to covertly install the spyware on the instance and elevate privileges to admin. Notably, the flaws exploited for this purpose have been already patched by Google in its latest Chrome releases.

Upon infection, DevilsTongue is capable of performing a variety of malicious actions, including stealing secret data, decrypting and stealing Signal messages, extracting cookies or saved passwords from LSASS and major browsers. The spyware can also leverage cookies for popular social networking platforms and email clients to collect sensitive information about its victims, read private messages, and grab photos. Moreover, DevilsTongue might message from victim’s mane on some of these platforms, appearing to be absolutely legitimate.

DevilsTongue Attack Detection

To prevent possible compromise by the DevilsTongue malware, it is recommended to open links by unknown or untrusted sources in the isolated environment. 

SOC Prime’s Threat Bounty developer Sittikorn has published a community Sigma rule that spots the recently patched Windows zero-day vulnerabilities CVE-2021-31979 and CVE-2021-33771 exploits associated with the DevilsTongue attacks. The community Sigma rule Sourgum CVE-2021-31979 and CVE-2021-33771 exploits is available for Threat Detection Marketplace users upon registration. 

The detection is available for the following technologies: Azure Sentinel, ELK Stack, Chronicle Security, Splunk, Sumo Logic, ArcSight, QRadar, Humio, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Apache Kafka ksqlDB, Securonix.

The Candiru Domains Detection rule by Onur Atali helps to detect country-specific domains associated with the DevilTounge attack. The detection is available for the following technologies: Azure Sentinel, ELK Stack, Chronicle Security, Splunk, Sumo Logic, ArcSight, QRadar, Humio, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Apache Kafka ksqlDB, Qualys, Securonix.

Also, Threat Detection Marketplace indexes a SOURGUM Actor IOC – July 2021 rule developed by Microsoft Azure Sentinel. This rule identifies a match across IOC’s related to Candiru (Sourgum) actor.

All detections are mapped to MITRE ATT&CK methodology addressing the Credential Access tactics and the Phishing technique (t1566)  and Exploitation for Client Execution (t1203)  technique.

Sign up to Threat Detection Marketplace to reach over 100K qualified, cross-vendor, and cross-tool SOC content items tailored to 20+ market-leading SIEM, EDR, NTDR, and XDR technologies. Enthusiastic to participate in threat hunting activities and enrich our library with new Sigma rules? Join our Threat Bounty Program for a safer future!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.

Related Posts