Spyware Group Candiru: Targets Journalists in the Middle East With DevilsTongue Malware

Spyware dubbed DevilsTongue is causing a fair share of trouble for journalists and free speech advocates in the Middle East, especially those Lebanon-based. Adversaries exploit a Chrome zero-day assigned CVE-2022-2294 that Google patched earlier this month to achieve shellcode execution, elevate privileges, and gain file-system permissions on the breached device’s memory.

Researchers discovered that the threat actor known as Candiru leveraged both compromised legitimate websites and bogus ones, promoted via spear phishing. The only action required on the victims’ side was to open the weaponized site in any Chromium-based browser.

Detect DevilsTongue Malware

To proactively defend organizations against new DevilsTongue malware samples, a top-tier Threat Bounty developer Kyaw Pyiyt Htet has timely released a unique, context-enriched Sigma rule, allowing to detect the file creation events of DevilsTongue in Candiru campaigns:

Suspicious DevilsTongue Spyware Activity By Detection of Associated File Events

This detection is available for the following SIEM, EDR & XDR security and analytics platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, SentinelOne, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Chronicle Security, Microsoft Defender ATP, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch, and Snowflake. Moreover, the Sigma rule is also aligned with the MITRE ATT&CK® framework v.10, addressing the Execution tactic represented by the User Execution technique (T1204).

Promising threat hunters would make a valuable asset to SOC Prime’s Threat Bounty Program, where they can create a personal brand and contribute to collaborative cyber defense together with other 600+ skilled freelance detection engineers.

Registered users can access all detection content associated with DevilsTongue spyware by clicking the Detect & Hunt button. Threat hunters, detection engineers, and other InfoSec practitioners striving to improve the organization’s cybersecurity posture can browse a vast library of detection content items enhanced with relevant threat context by hitting the Explore Threat Context: the access is not registration-based.

Detect & Hunt Explore Threat Context

Candiru’s Spyware Analysis

Security researchers from the antivirus firm Avast released a report on a surge in attacks with DevilsTongue spyware, developed by Israeli surveillance firm Candiru. The attacks were registered in March 2022 in Palestine, Yemen, Turkey, and Lebanon, targeting news agency workers.

Authorities claim that Candiru (also known as Sourgum, Grindavik, and Saito Tech – the names changed throughout its existence) is a hacking-for-hire company that sells the DevilsTongue spying software to government clients. Engineers linked to the development of the notorious Pegasus spyware (NSO Group) are considered to be the founders of this spyware vendor. The firm was established in 2014 but first got on the security radar in 2019, powering the attacks against dissidents and free speech defenders in Uzbekistan. The company has targeted more than 100 journalists and dissidents across ten countries.

In the latest campaign, adversaries used CVE-2022-2294 Chromium Open Source Software (OSS) vulnerability, patched on July 4. When the target is acquired, adversaries establish a foothold on the victim’s computer to deliver DevilsTongue spyware. The goal is to steal data, e.g., pictures, text messages, and call log history and track the location of a breached device in real-time.

To achieve an efficient detection opt for emerging and existing threats, leverage the benefits of the world’s first Detection as Code platform. Obtain better visibility into threats passing through your network with SOC Prime’s cutting-edge detection solutions.