An Israeli spyware outfit turned the actively exploited, but now patched, Google Chrome zero-day issue into a weapon that it deployed to assault Middle Eastern journalists.
The exploitation was connected to Candiru (aka Saito Tech) by the Czech cybersecurity company Avast. Candiru has a history of using previously undiscovered holes to spread the Windows malware known as DevilsTongue, a modular implant with Pegasus-like capabilities.
The vulnerability in question is CVE-202-2294, memory corruption in the WebRTC component of the Google Chrome browser that could lead to shellcode execution. It was addressed by Google on July 4, 2022.
The results shed light on many assault campaigns carried out by the Israeli hacker-for-hire vendor, who is alleged to have returned in March 2022 with a retooled toolkit to target users in Lebanon, Turkey, Yemen, and Palestine via watering hole attacks employing zero-day exploits for Google Chrome.
The last time Candiru was exposed by Microsoft and Citizen Lab, the firm retracted all DevilsTongue operations and worked in the shadow to implement new zero-days, as Avast now reveals.