Windows spyware and zero-days linked to prodigious Israeli hack-for-hire company
Image: Alexander Andrews
Catalin Cimpanu July 15, 2021

Windows spyware and zero-days linked to prodigious Israeli hack-for-hire company

Windows spyware and zero-days linked to prodigious Israeli hack-for-hire company

  • Browser and Windows zero-days exploits were used to infect Windows users with the DevilsEye spyware.
  • Microsoft & Citizen Lab said DevilsEye was developed by Israeli company Candiru, which sells it to government clients.
  • The DevilsEye spyware was found on at least 100 systems of high-profile targets.

Microsoft and Citizen Lab said today that an Israeli company named Candiru is behind two Windows zero-day exploits that have been used to infect and deploy a never-before-seen spyware strain on the devices of at least 100 victims, including politicians, human rights activists, journalists, academics, embassy workers and political dissidents.

Founded in 2014, the company is part of Israel’s burgeoning cybersecurity scene, where it has provided offensive capabilities to governments across the world.

While the company’s hack-for-hire offerings have been known for years, the company and its capabilities have remained largely unknown.

Boasting of being able to infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts, the two reports released today by Microsoft and Citizen Lab are the first to ever describe in great technical depth one of the company’s hacking tools.

Candiru linked to DevilsEye malware, several zero-days

Named DevilsEye, this tool is a Windows malware strain with spyware capabilities that can allow Candiru’s clients full access to an infected device once the tool has been deployed on a target’s Windows system.

The existence of this spyware was first discovered by security researchers from the University of Toronto’s Citizen Lab while conducting a forensic investigation on the device of “a politically active victim in Western Europe.”

Sharing their findings with Microsoft, the OS maker was able to use its extensive telemetry database and uncover at least 100 victims infected with DevilsEye in countries such as Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore.

See the Microsoft and Citizen Lab reports for a technical breakdown of the DevilsEye malware.

Microsoft said that the spyware was typically deployed by luring victims on websites hosting an exploit kit that abused browser vulnerabilities to plant the malware on a victim’s device, where it subsequently abused a second-stage Windows exploit to gain admin-level access for its operators.

The attack chain was highly advanced and used never-before-seen vulnerabilities, known as zero-days in the cybersecurity community.

These included two Chrome zero-days (CVE-2021-21166 and CVE-2021-30551), an Internet Explorer one (CVE-2021-33742), and two in the Windows OS (CVE-2021-31979 and CVE-2021-33771).

All vulnerabilities have been patched at the time of today’s reports.

The first three zero-days are also the same listed in a Google report published on Wednesday in which the search giant’s security teams linked the Chrome and IE exploits to an unnamed commercial surveillance company. Google said the zero-days were sold to at least two state-sponsored threat actors, which abused them in attacks against Armenian targets. In an update today, Google also attributed the zero-days to Candiru.

Hundreds of Candiru domains still active

However, the Citizen Lab team said that Candiru’s hacking-for-hire capabilities are far larger than what can be gleaned from Google and Microsoft’s report.

Citizen Lab analysts said they found more than 750 domains that hosted Candiru spyware, including large clusters in the UAE and Saudi Arabia, which suggests the two countries are some of the company’s bigger customers.

Some of these domains masqueraded as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society-themed entities, suggesting that the attacks were mostly aimed against activists rather than unmasking criminal groups.

In a separate blog post on Thursday, Cristin Goodwin – General Manager, Digital Security Unit, echoed Microsoft’s previous call to action against companies like Candiru, which have been observed selling cyber arms to abusive regimes for years. These governments have often been seen using these hacking tools against civil society members instead of espionage or tracking criminals.

Microsoft previously called that cyber arms dealers should not have immunity for their actions when their tools are used for human rights abuses.

Candiru could not be contacted for comment as the company’s past domains returned errors today.

Goodwin also said that Microsoft also deployed protections against Candiru’s malware.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.