Avast Threat Labs uncovered a targeted zero-day in Google Chrome (CVE-2022-2294) used in the wild to attack Avast users in the Middle East, including Lebanese journalists. The campaign combined watering hole attacks, a Chrome WebRTC exploit chain, and a BYOVD kernel driver route to deploy DevilsTongue spyware attributed to Candiru, with TLS-encrypted delivery to evade detection. #Candiru #DevilsTongue #CVE-2022-2294 #Avast #Lebanon #Journalists
Keypoints
- The zero-day CVE-2022-2294 in Chrome was exploited via a WebRTC memory corruption bug to achieve shellcode execution in the Chrome renderer.
- The activity is attributed to Candiru, a long-running spyware vendor, with an updated toolset observed in March 2022 and targets in Lebanon, Turkey, Yemen, and Palestine via watering hole campaigns.
- Attackers compromised a Lebanon news-agency website, used persistent XSS artifacts, and redirected victims to an exploit server through attacker-controlled domains.
- The exploit server gathers a ~50-point browser profile from victims and uses RSA-2048 to exchange an AES-256-CBC key, establishing an encrypted channel over TLS to deliver the zero-days.
- The final payload, DevilsTongue, attempts kernel access via another zero-day using a signed kernel driver dropped to disk (HW.sys) and exploited through specific IOCTLs.
- Persistence and defense evasion include hijacking CLSIDs to load legitimate system DLLs, creating multiple IoCs including a set of driver and DLL artifacts.
MITRE Techniques
- [T1189] Drive-by Compromise – Attackers compromised a website and redirected victims to exploits via attacker-controlled domains. “the compromised website contained artifacts of persistent XSS attacks, with there being pages that contained calls to the Javascript function alert along with keywords like test.”
- [T1203] Exploitation for Client Execution – A memory corruption in WebRTC was abused to achieve shellcode execution in Chrome’s renderer process. “…memory corruption in WebRTC that was abused to achieve shellcode execution in Chrome’s renderer process.”
- [T1068] Exploitation for Privilege Escalation – The final stage attempts to get into the kernel using another zero-day exploit via a signed driver. “…attempts to get into the kernel using another zero-day exploit.”
- [T1574] Hijack Execution Flow – Hijacked CLSIDs (persistence mechanism) by pointing to legitimate DLLs to maintain persistence. “Hijacked CLSIDs (persistence mechanism)” and related registry entries such as InprocServer32.
- [T1071.001] Web Protocols – Communications use an encrypted channel on top of TLS to deliver exploits and hide traffic. “encrypted channel… set up on top of TLS, effectively hiding the exploits”
Indicators of Compromise
- [Domains] Infrastructure – bad-shop.net, bestcarent.org, core-update.com, datanalytic.org, expertglobal.org, only-music.net, popsonglist.com, querylight.net, smartstand.org, stylishblock.com, webs-update.com
- [Filesystem] DevilsTongue file paths – C:WindowsSystem32migrationnetiopmig.dll, C:WindowsSystem32migrationsppvmig.dll, C:WindowsSystem32migrationspvmig.dll, C:WindowsSystem32imeimejpimjpueact.dll, C:WindowsSystem32imeimejpimjpuexp.dll, C:WindowsSystem32imesharedimccphd.dll, C:WindowsSystem32imesharedimebrokev.dll, C:WindowsSystem32imesharedimecpmeid.dll, C:WindowsSystem32imesharedimepadsvd.dll, C:WindowsSystem32migrationimjprmig.dll, C:WindowsSystem32wbemdmwmibridgeprov132.dll, C:WindowsSystem32wbemesscli32.dll, C:WindowsSystem32wbemnetdacim32.dll, C:WindowsSystem32wbemnetpeerdistcim32.dll, C:WindowsSystem32wbemviewprov32.dll, C:WindowsSystem32wbemwmiaprpl32.dll, C:WindowsSystem32wbemwbemcore32.dll, C:WindowsSystem32wbemwbemdisp32.dll, C:WindowsSystem32wbemwmiaprpl32.dll
- [Registry] Hijacked CLSIDs – Registry keys mapping to InprocServer32 DLLs, e.g.: HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{4590F811-1D3A-11D0-891F-00AA004B2E24} InprocServer32 -> wbemwbemprox.dll, HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{4FA18276-912A-11D1-AD9B-00C04FD8FDFF} InprocServer32 -> wbemwbemcore.dll, etc.
Read more: https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/