New Candiru attack targets journalists in the Middle East

Emma McGowan 28 Jul 2022

This attack fits into a wider trend of governments targeting journalists worldwide.

Earlier this summer, Avast Threat Labs researchers discovered a zero-day vulnerability in Google Chrome when it was utilized in attacks on Avast users in the Middle East. The attacks were highly targeted and, in Lebanon, focused on journalists. The remainder of the attacks took place in Turkey, Yemen, and Palestine.

After examining the malware and the tactics, techniques, and procedures (TTPs) used in the attacks, the researchers determined that they were carried out by a secretive spyware group that calls itself Candiru, among other names. According to CitizenLab — who, along with Microsoft, uncovered the group in 2021 — Candiru is based in Israel and is said to only sell their spyware to governments. They recruit primarily from the signals intelligence unit of the Israeli Defense Forces.

When Candiru was first exposed in July 2021, the victims of its spyware included “human rights defenders, dissidents, journalists, activists, and politicians,” in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore, according to CitizenLab.

“After Candiru was exposed by Microsoft and CitizenLab in July 2021, it laid low for months, most likely taking its time to update its malware to evade existing detection,” Avast Threat Labs malware researcher Jan Vojtěšek says.

The Palestinian attack in this latest wave was made via a porn site, although researchers aren’t clear if the site itself was compromised or if Candiru utilized malvertising. Infected advertisements seem like an imprecise infection vector, considering the power of this group. But when you take into account the fact that their clients are always governments, then it can be inferred that they likely had access to information about sites visited through internet service providers (ISPs).

The majority of attacks, however, were carried out on journalists in Lebanon via a compromised internal content management system (CMS), which Vojtěšek believes had a cross site scripting (XSS) vulnerability. The site was only accessible via a login screen, which implies that Candiru had intimate knowledge of how the journalists at this publication work.

“Interestingly, the compromised website contained artifacts of persistent XSS attacks, with there being pages that contained calls to the Javascript function ‘alert’ along with keywords like ‘test,’” Vojtěšek says. “We suppose that this is how the attackers tested the XSS vulnerability, before ultimately exploiting it for real by injecting a piece of code that loads malicious JavaScript from an attacker-controlled domain. This injected code was then responsible for routing the intended victims (and only the intended victims) to the exploit server, through several other attacker-controlled domains.”

The sophisticated attack started by creating a profile of intended victims that included about 50 data points, including  language, time zone, screen information, device type, browser plugins, referrer, device memory, cookie functionality, and more. Vojtěšek theorizes this was done to ensure that the victim was one of the intended targets. Then, the exploit server created an encrypted tunnel through which it delivered DevilsTongue, which is a known spyware. DevilsTongue has the ability to collect files, run registry queries, run commands, query SQLite databases, steal browser credentials, and even decrypt and exfiltrate Signal conversations. 

This attack fits into a wider trend of governments targeting journalists worldwide. For example, journalists at El Salvador’s biggest newspaper, El Faro, were targeted in 2020 and 2021. That attack utilized Pegasus spyware, which belongs to the NSO Group. While the government denied responsibility for the attack and NSO Group would not say whether they’d sold the software to the El Salvadoran government, NSO Group (which, like Candiru, is based in Israel) only works with government clients. These two companies are somehow connected, as Candiru’s largest shareholder is said to also be the founding funder of the NSO Group. Pegasus was also installed on the phone of the wife of late Saudi journalist Jamal Khashoggi, who was murdered in 2018 inside the Saudi consulate in Istanbul, among hundreds of others worldwide.

--> -->