Earlier this week Microsoft patched two zero-day Windows flaws as part of its Patch Tuesday, the exploits were weaponized by an Israel-based company called Candiru in a series of "precision attacks" against more than 100 journalists, academics, activists, and political dissidents worldwide.
According to a report published by the University of Toronto's Citizen Lab, the spyware vendor Candiru was also formally identified as the commercial surveillance company that Google's Threat Analysis Group (TAG) revealed was exploiting multiple zero-day vulnerabilities in Chrome browser to target victims in Armenia.
Established in 2014, the private-sector offensive actor codenamed "Sourgum" by Microsoft is thought to be the creator of DevilsTongue. DevilsTongue is an espionage toolkit capable of infecting and monitoring a wide range of devices across various platforms, including iPhones, Androids, Macs, PCs, and cloud accounts.
Citizen Lab said it recovered a copy of Candiru's Windows spyware after acquiring a hard drive from "a politically engaged victim in West Europe," that was then reverse engineered to identify two never-before-seen Windows zero-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771 that were used to instal malware on victim machines.
The infection chain used a combination of browser and Windows exploits, with the former delivered via single-use URLs sent to targets via messaging apps like WhatsApp. On July 13, Microsoft patched both privilege escalation flaws, which allow an adversary to bypass browser sandboxes and gain kernel code execution.
The intrusions resulted in the deployment of DevilsTongue, a modular C/C++-based backdoor capable of exfiltrating files, exporting messages saved in the encrypted messaging app Signal, and stealing cookies and passwords from the Chrome, Internet Explorer, Firefox, Safari, and Opera browsers.