Security News > 2022 > July > Candiru Spyware Caught Exploiting Google Chrome Zero-Day to Target Journalists

The actively exploited but now-fixed Google Chrome zero-day flaw that came to light earlier this month was weaponized by an Israeli spyware company and used in attacks targeting journalists in the Middle East.

"Specifically, a large portion of the attacks took place in Lebanon, where journalists were among the targeted parties," security researcher Jan Vojt?šek, who reported the discovery of the flaw, said in a write-up.

The vulnerability in question is CVE-2022-2294, memory corruption in the WebRTC component of the Google Chrome browser that could lead to shellcode execution.

The findings shed light on multiple attack campaigns mounted by the Israeli hack-for-hire vendor, which is said to have returned with a revamped toolset in March 2022 to target users in Lebanon, Turkey, Yemen, and Palestine via watering hole attacks using zero-day exploits for Google Chrome.

The infection sequence spotted in Lebanon commenced with the attackers compromising a website used by employees of a news agency to inject malicious JavaScript code from an actor-controlled domain that's responsible for redirecting potential victims to an exploit server.

The zero-day flaw is said to have been chained with a sandbox escape exploit to gain an initial foothold, using it to drop the DevilsTongue payload. While the sophisticated malware is capable of recording the victim's webcam and microphone, keylogging, exfiltrating messages, browsing history, passwords, locations, and much more, it has also been observed attempting to escalate its privileges by installing a vulnerable signed kernel driver containing a third zero-day exploit.

News URL

https://thehackernews.com/2022/07/candiru-spyware-caught-exploiting.html