Spyware toolkit used by governments, hackers to break into Windows machines

Bad Bots
(Image credit: Gonin / Shutterstock)

Cybersecurity experts have shared details about a mercenary spyware vendor that exploited at least a couple of zero-day vulnerabilities, which Microsoft patched in the July Patch Tuesday.

Security experts from Microsoft Threat Intelligence Center (MSTIC) worked together with internet watchdog Citizen Lab to blow the lid off the Israel-based mercenary spyware company, Candiru, which sells spyware exploit toolkits exclusively to governments.

“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices. With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves,” observes MSTIC in a blog post.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window <<

While Citizen Lab directly identifies Candiru as the toolkit author, Microsoft has chosen to refer to it by its code-name Sourgum.  

Targeted spyware

MSTIC and Citizen Lab say that Candiru/Sourgum used the zero-day vulnerability to craft a malware dubbed DevilsTounge. 

According to their investigation, DevilTounge infected at least a hundred human rights defenders, dissidents, journalists, activists, and politicians in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore.

Citizen Lab identified a politically active victim in Western Europe and worked with it to recover a copy of DevilsTounge, which led to the discovery of the now-patched privilege escalation vulnerabilities, specifically tracked as CVE-2021-31979 and CVE-2021-33771. 

According to MSTIC’s breakdown of the spyware, in addition to standard malware capabilities including exfiltrating files, credentials, and other sensitive information, DevilsTounge is also designed to decrypt and exfiltrate conversations from the Signal messaging app, the preferred means of communication by activists to circumvent snooping. 

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.