“DevilsTongue”, the cutting edge spyware that exploited unprecedented vulnerabilities in Windows

Citizen Lab researchers, Microsoft and Google updated the DevilsTongue spy software. This advanced “spyware” was used to spy on more than a hundred activists, political figures and journalists. Its operators were using unknown vulnerabilities in Windows, Google Chrome and Internet Explorer to deploy it.

The weapons we disabled were used in precision attacks that targeted over 100 victims around the world », Writes Cristin Goodwin, general manager of the Digital Security Unit of Microsoft. On the occasion of its Tuesday July 12 patch, the Windows publisher corrected two so-called “zero-day” flaws – that is to say, previously unknown – exploited by a ” offensive actor ”Which he nicknamed“ Sourgum ”. Citizen Lab researchers, who were instrumental in this discovery, claim that Sourgum is none other than the Israeli hacking tool vendor Candiru.

The two vulnerabilities were all starting points of a chain of attack with several links, intended to deploy spyware that had not yet been analyzed so far, called “DevilsTongue” (the language of the demon, in French ) by Microsoft. Like any good spyware, DevilsTongue allows, among other things, to steal files, steal identifiers (and session cookies) in order to enter the victim’s accounts, or read the messages received on practically any application. In addition to being a perfect Swiss Army knife for espionage, the malware was designed to avoid the vast majority of Windows detection measures. ” The developers are very professional, and have extensive experience writing Windows malware, coupled with a good understanding of operational security. », Warns the editor.

For an exorbitant price, governments can afford extremely sophisticated spyware. // Source: Louise Audry for Numerama

Microsoft speaks of the device as a ” cyber weapon “, A term borrowed from military vocabulary, but many experts prefer to keep the expression” monitoring software “. For good reason: the victims of spyware are civilians, spied on by Candiru’s client governments. They are politicians, human rights defenders, journalists, academic researchers, embassy employees or even political opponents.

The activity of Candiru, created in 2014, is reminiscent of its counterpart and compatriot NSO Group, whose spyware Pegasus was used to premeditate the murder of Saudi journalist Jamal Kashoggi. These companies claim that the use of their technology is limited to fighting terrorism or arresting criminals. But it has been proven time and time again that these advanced surveillance technologies are used primarily for government-led repression and censorship operations.

Microsoft, Google and a cutting-edge laboratory mobilized to defuse the operation

To identify and correct the two vulnerabilities, Microsoft was able to count on the help of researchers at the Citizen Lab, a research unit at the University of Toronto, at the forefront of the subject of surveillance. Scientists have identified an early spyware victim, ” politically active in Western Europe », Who agreed to collaborate. This person provided his infected machine to Windows engineers, who were able to dissect the malware and trace it back to how it worked, a method known as reverse engineering. From there, Microsoft was able to find traces of the malware in a hundred victims, half located in Palestine, but also in Israel, the United Kingdom, Spain, Turkey, Armenia, Singapore and even in Lebanon. , Iran and Yemen.

In 7 years of existence, Candiru has changed his name several times, and if his activity was known, his real abilities were not. The company says it can monitor computers, whether PCs or Macs, but also Android and iOS smartphones. Moreover, Windows flaws are not the only ones to have been discovered: two zero-days of Google Chrome and one of Internet Explorer were also exploited by Candiru. All of its vulnerabilities have been fixed, but according to the Citizen Lab, the Israeli company has a much larger arsenal, as yet unknown.

Multi-million dollar precision malware

DevilsTongue operators were trying to lure victims to trick sites to take advantage of this set of vulnerabilities that only they knew existed. In all, the researchers identified 750 domains intended to deploy the spyware, which imitated entities likely to interest the targets of the malware: Amnesty International, Black Lives Matter or various media. Once the operation was successful, hackers could easily gain administrator access to the system: in other words, they gave themselves the power to do and change whatever they wanted.

The price of DevilsTongue is no longer unknown, but The Register recalls that of its competitor Pegasus, once again unveiled by the Citizen Lab: no less than $ 20 million to afford unlimited attempts to inject the malware . However, for this amount, the buyer can only track 10 devices at the same time, and in a single country. He will need to add $ 1.8 million to track 15 more, and no less than 6.5 million to track 25 machines in more than 5 countries simultaneously.

Related Articles