A 0-day vulnerability that was used to infect Chrome users could also be dangerous for Edge and Safari users.

After being quiet for a while, Candiru shows its ugly face again.

Security researchers say that a mysterious seller of cyberattack software recently used a previously unknown Chrome vulnerability and two other zero-days to infect journalists and other targets with sophisticated spyware.

The vulnerability, which is tracked as CVE-2022-2294, comes from memory corruption flaws in Web Real-Time Communications, which is an open source project that provides JavaScript programming interfaces to allow real-time voice, text, and video communications between web browsers and devices. Google fixed the flaw on July 4 after researchers from security company Avast told the company in private that it was being used in watering hole attacks. In these attacks, malware is put on specific websites in order to infect frequent users. Since then, both Microsoft and Apple have fixed the same WebRTC bug in their Edge and Safari browsers.

Avast said on Thursday that it had found multiple attack campaigns. Each one sent the exploit to Chrome users in Lebanon, Turkey, Yemen, and Palestine in a different way. The sites with watering holes were very picky about which visitors to infect. Once the watering hole sites were able to take advantage of the vulnerability, they used their access to install DevilsTongue, which is what Microsoft called the advanced malware that Candiru, an Israeli company, sold last year.

Avast researcher Jan Vojtek wrote, “In Lebanon, the attackers seem to have taken over a website used by employees of a news agency.” “We don’t know for sure what the attackers were after, but most of the time, they go after journalists to spy on them and the stories they’re working on, or to get to their sources and get embarrassing or sensitive information they gave to the press.

Vojtek said that Candiru had been staying out of sight since Microsoft and CitizenLab exposed him in July of last year. The researcher said that the company came out of hiding with new tools in March. The watering hole site, which Avast didn’t name, was careful not only to infect only certain visitors but also to keep researchers or other hackers from finding out about its valuable zero-day vulnerabilities.

Interestingly enough, the hacked website had evidence of persistent XSS attacks, like pages that called the Javascript function alert and had words like “test” on them. We think this is how the attackers tested the XSS flaw before using it for real by injecting a piece of code that loads malicious Javascript from a domain controlled by the attackers. This code then sent the intended victims (and only the intended victims) to the exploit server via several other domains that the attacker-controlled.

Larger image: The malicious code was added to the website that had been hacked, which loaded more Javascript from stylishblock[.]com.
Candiru gets more information about the victim once they reach the exploit server. About 50 data points about the victim’s browser are taken and sent to the attackers to make a “profile.” The information that is collected includes the victim’s language, time zone, screen information, device type, browser plugins, referrer, device memory, cookie functionality, and more. We think this was done to protect the exploit even more and make sure that it only went to the right people. If the data collected is good enough for the exploit server, it will use RSA-2048 to give the victim an encryption key. With the help of AES-256-CBC and this encryption key, a secure channel is set up through which the zero-day exploits can be sent to the victim. This encrypted channel is set up on top of TLS. This hides the exploits even from people who would decrypt the TLS session to get the plaintext HTTP traffic.

Even though everyone tried to keep CVE-2022-2294 a secret, Avast was able to find the attack code. The attack code took advantage of a heap overflow in WebRTC to run malicious shellcode inside a renderer process. The recovery let Avast find the flaw and tell developers about it so that it could be fixed. The security firm couldn’t get a second zero-day exploit, which was needed for the first one to get out of Chrome’s security sandbox. So, this second zero-day will live to fight another day.

Once DevilsTongue was installed, it tried to raise its system privileges by installing a Windows driver with another unpatched vulnerability. This means that at least three zero-day vulnerabilities were used in this campaign. Once the unidentified driver was installed, DevilsTongue would use the security hole to get into the kernel, which is the most sensitive part of any operating system. The method is called “BYOVD,” which stands for “bring your own vulnerable driver.” It lets malware get past OS protections because most drivers have automatic access to an OS kernel.

Avast has told the driver maker about the flaw, but there is no sign that a patch has been made available. As of the time of publication, the driver exploit had only been found by Avast and one other antivirus engine.

Google and Microsoft both fixed CVE-2022-2294 at the beginning of July, so it’s likely that most Chrome and Edge users are already safe. But Apple fixed the problem on Wednesday, so Safari users should make sure that their browsers are up-to-date.

“There is no way for us to know for sure whether or not other groups also took advantage of the WebRTC flaw,” Vojtek wrote. “But it is possible.” “Multiple groups may find the same zero-day at the same time, or someone may sell the same vulnerability/exploit to multiple groups, etc. But there is no sign that another group is using the same zero-day flaw.”