Hackers exploited a flaw in Chrome to deploy DevilsTongue spyware

July 29, 2022
Hackers Vulnerability Exploit Application Flaw Chrome DevilsTongue Spyware Malware

An Israeli spyware vendor was discovered exploiting a zero-day flaw in Google Chrome to spy on numerous journalists from the Middles East, using DevilsTongue. The vulnerability was quickly reported to Google after its discovery, revealing their initial analysis after studying the spyware on one of their clients.

The spyware was said to be abusing the zero-day flaw as early as March this year and targeted many users in multiple Middle Eastern countries such as Yemen, Turkey, Palestine, and Lebanon.

Researchers identify the flaw as CVE-2022-2294, a high-severity heap-based buffer overflow in WebRTC. Google revealed that they had already patched the abused zero-day last July, which cybercriminals had used before July.

Fortunately, Safari browsers were safe from exploitation despite the flaw’s existence in the WebRTC. The researchers explained that the actors on Windows could only execute the abuse.

 

The DevilsTongue spyware operators have used different tactics to initiate their attacks.

 

Based on reports, the spyware operators have deployed DevilsTongue after conducting numerous watering holes and spear-phishing strategies. In addition, the attack did not require interaction with its victims, such as clicking an attached link or downloading any file.

However, the operators needed its targets to open an already compromised website or the one developed by a separate hacker in a Chromium-based browser. In one scenario, the adversaries compromised a website utilised by a Lebanese news agency and inserted JavaScript snippets to allow XSS attacks and redirect its targets to the malicious server.

The zero-day used in that attack enables a shellcode execution inside a renderer process. The flaw was chained with a sandbox escape vulnerability that Avast failed to retrieve for analysis.

After its infection, DevilsTongue utilised a BYOVD step to escalate its privileges and acquire a read-and-write right to the compromised device’s memory. Researchers then claimed that the malicious threat actors had used the spyware to know what news stories journalists wanted to cover.

This latest attack shows the hostility offered by spyware vendors since they can develop or purchase zero-day exploits to target individuals their customers request to infiltrate. Therefore, users should always protect their data with robust encryption mechanisms and update their devices with the latest patches.

About the author