Candiru’s DevilsTongue Spyware: A Global Threat to Windows Users
In the ever-evolving landscape of cyber threats, a new and formidable adversary has emerged: DevilsTongue, a sophisticated spyware developed by the Israeli firm Candiru. This malware has been deployed across multiple countries, targeting high-profile individuals such as politicians, journalists, and business leaders. Its advanced capabilities and stealthy operations have raised significant concerns among cybersecurity experts worldwide.
Global Deployment and Targeting
Candiru’s operations have been traced to at least eight distinct clusters in countries including Hungary, Saudi Arabia, Indonesia, and Azerbaijan. These clusters exhibit varied operational tactics, with some managing victim-facing systems directly, while others utilize intermediary layers or the Tor network to obfuscate their activities. This diversity in approach complicates efforts to detect and mitigate the spyware’s impact.
Technical Sophistication and Evasion Techniques
DevilsTongue is a modular Windows malware that employs multiple infection vectors. It exploits zero-day vulnerabilities in web browsers and weaponized documents to gain initial access to target systems. Once installed, the malware establishes a covert presence, exfiltrating sensitive data while evading standard security tools.
One of the spyware’s notable features is its persistence mechanism. It utilizes Component Object Model (COM) hijacking by overwriting legitimate COM class registry keys, redirecting them to a malicious DLL located in the system directory. This method allows the malware to blend seamlessly with legitimate system processes. Additionally, DevilsTongue employs a signed third-party driver, physmem.sys, to achieve kernel-level memory access. This enables the malware to proxy API calls and avoid detection mechanisms effectively.
To maintain system stability and prevent triggering security alerts, DevilsTongue reinstates the original COM DLL through shellcode manipulation of the LoadLibraryExW return value. All additional payloads remain encrypted and execute exclusively in memory, preventing forensic recovery. This design allows the malware to extract credentials from Local Security Authority Subsystem Service (LSASS), web browsers, and messaging applications like Signal Messenger, before covering its tracks through metadata scrubbing and unique file hashing.
Commercialization and Licensing Model
The commercialization of DevilsTongue underscores the growing market for sophisticated spyware. Leaked project proposals reveal that Candiru charges clients based on concurrent infections, allowing them to monitor multiple devices simultaneously. A base contract starting at €16 million permits unlimited infection attempts with ten concurrent devices monitored. Additional fees unlock expanded capacity and geographic coverage across different countries. This pricing structure attracts government clients with substantial budgets seeking persistent surveillance capabilities.
Implications for Cybersecurity
The emergence of DevilsTongue highlights the escalating arms race in cyber espionage. Its advanced evasion techniques and modular design make it a formidable tool for targeted surveillance. The global deployment of this spyware underscores the need for robust cybersecurity measures and international cooperation to combat such threats.
Organizations and individuals must remain vigilant, employing comprehensive security protocols and staying informed about emerging threats. Regular system updates, employee training, and the use of advanced threat detection tools are essential components of a proactive defense strategy.
Conclusion
Candiru’s DevilsTongue spyware represents a significant advancement in the realm of cyber threats. Its sophisticated design, global reach, and targeted approach pose a substantial risk to high-profile individuals and organizations. As cyber adversaries continue to evolve, so must our strategies to detect, prevent, and respond to these threats.
