Spyware toolkit used by governments, hackers to break into Windows machines

Bad Bots
(Image credit: Gonin / Shutterstock)
Audio player loading…

Cybersecurity (opens in new tab) experts have shared details about a mercenary spyware vendor that exploited at least a couple of zero-day vulnerabilities, which Microsoft patched in the July Patch Tuesday (opens in new tab).

Security experts from Microsoft Threat Intelligence Center (MSTIC) worked together with internet watchdog Citizen Lab to blow the lid off the Israel-based mercenary spyware company (opens in new tab), Candiru, which sells spyware exploit toolkits exclusively to governments.

“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices. With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves,” observes MSTIC in a blog post (opens in new tab).

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window (opens in new tab) <<

While Citizen Lab directly identifies Candiru as the toolkit author, Microsoft has chosen to refer to it by its code-name Sourgum.  

Targeted spyware

MSTIC and Citizen Lab say that Candiru/Sourgum used the zero-day vulnerability to craft a malware (opens in new tab) dubbed DevilsTounge. 

According to their investigation, DevilTounge infected at least a hundred human rights defenders, dissidents, journalists, activists, and politicians in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore.

Citizen Lab identified a politically active victim in Western Europe and worked with it to recover a copy of DevilsTounge, which led to the discovery of the now-patched privilege escalation vulnerabilities, specifically tracked as CVE-2021-31979 and CVE-2021-33771. 

According to MSTIC’s breakdown of the spyware, in addition to standard malware capabilities including exfiltrating files, credentials, and other sensitive information, DevilsTounge is also designed to decrypt and exfiltrate conversations from the Signal messaging app, the preferred means of communication by activists to circumvent snooping. 

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.