An Israeli spyware outfit turned the actively exploited, but now patched, Google Chrome zero-day issue into a weapon that it deployed to assault Middle Eastern journalists.
Candiru Spyware
The exploitation was connected to Candiru (aka Saito Tech) by the Czech cybersecurity company Avast. Candiru has a history of using previously undiscovered holes to spread the Windows malware known as DevilsTongue, a modular implant with Pegasus-like capabilities.
The vulnerability in question is CVE-202-2294, memory corruption in the WebRTC component of the Google Chrome browser that could lead to shellcode execution. It was addressed by Google on July 4, 2022.
The results shed light on many assault campaigns carried out by the Israeli hacker-for-hire vendor, who is alleged to have returned in March 2022 with a retooled toolkit to target users in Lebanon, Turkey, Yemen, and Palestine via watering hole attacks employing zero-day exploits for Google Chrome.
In order to inject malicious JavaScript code from an actor-controlled domain that directs potential victims to an exploit server, the attackers had to infect a website that was being accessed by staff members of a news agency.
The last time Candiru was exposed by Microsoft and Citizen Lab, the firm retracted all DevilsTongue operations and worked in the shadow to implement new zero-days, as Avast now reveals.
IOCS
bad-shop[.]net |
bestcarent[.]org |
core-update[.]com |
datanalytic[.]org |
expertglobal[.]org |
only-music[.]net |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment