Press releases

Zero-day Vulnerability Abused by Candiru Spyware to Target Journalists in the Middle East

Tel Aviv based spyware vendor, Candiru, collected information about potential victims and delivered a zero-day exploit for Google Chrome to targeted victims to deliver malicious payload, DevilsTongue, to gain full access to their devices.

Tel Aviv based spyware vendor, Candiru, collected information about potential victims and delivered a zero-day exploit for Google Chrome to targeted victims to deliver malicious payload, DevilsTongue, to gain full access to their devices.


Prague, Czech Republic, July 21, 2022 -  Avast (LSE:AVST) recently discovered a zero-day vulnerability in Google Chrome (CVE-2022-2294) when it was exploited in the wild in an attempt to attack Avast users in the Middle East in a highly targeted way via spyware with origins in Israel. Specifically, the Avast Threat Intelligence team found out that in Lebanon, journalists were among the targeted parties, and further targets were located in Turkey, Yemen, and Palestine. The Avast Threat Intelligence team reported this vulnerability to Google, who patched it on July 4, 2022.

Based on the malware and tactics used to carry out the attack, the Avast researchers attributed it to spyware vendor Candiru, based in Tel Aviv and known to sell espionage software to government clients. Via this attack, a profile of the victim’s browser, consisting of about 50 data points, is collected and sent to the attackers. The collected information includes the victim’s language, timezone, screen information, device type, browser plugins, referrer, device memory, cookie functionality, and more, likely to further protect the exploit and to make sure that it only gets delivered to the targeted victims.

If the collected data turns out to be what the attackers looked for, the zero-day exploit is delivered to the victim’s machine via an encrypted channel. After the attackers get onto the machine, a malicious payload known as DevilsTongue is delivered attempting to escalate the malware's privileges in order to gain full access to the victim’s machine. DevilsTongue is an advanced spyware, capable of recording the victim’s webcam and microphone, keylogging, exfiltrating the victim’s messaging, browsing history, passwords, geolocation, and much more.

"In Lebanon, the attackers seem to have compromised a website used by employees of a news agency. We can’t say for sure what the attackers might have been after, however often the reason why attackers go after journalists is to spy on them and the stories they’re working on directly, or to get to their sources and gather compromising information and sensitive data they shared with the press. An attack like this could pose a threat for press freedom,” said Jan Vojtěšek, Malware Researcher at Avast.

Because Google was fast to patch the vulnerability on July 4, 2022, Chrome users simply need to click the button when the browser prompts them to “restart to finish applying the update. The same procedure should be followed by users of most other Chromium-based browsers, including Avast Secure Browser. Safari users should update to version 15.6. Avast urges all developers using WebRTC to patch as soon as possible.