In recent years, the cybersecurity landscape has been significantly impacted by the emergence of advanced spyware tools designed to infiltrate and monitor high-profile targets worldwide. One such tool, known as DevilsTongue, has garnered attention for its sophisticated capabilities and the breadth of its deployment. Developed by the Israeli firm Candiru, also referred to as Sourgum, DevilsTongue has been utilized to target a diverse range of individuals, including politicians, journalists, human rights activists, and dissidents across multiple countries.
Origins and Development
Candiru, established in 2014 and based in Tel Aviv, specializes in providing cyber-espionage tools exclusively to government clients. The company’s products are designed to exploit zero-day vulnerabilities—previously unknown security flaws—for the purpose of deploying spyware that can remotely control and monitor target devices. Candiru’s offerings are reported to be capable of compromising various operating systems and devices, including Windows PCs, Macs, iPhones, Android smartphones, and cloud accounts. ([en.wikipedia.org](https://en.wikipedia.org/wiki/Candiru_%28spyware_company%29?utm_source=openai))
Deployment and Targeting
Investigations by Microsoft and Citizen Lab have revealed that DevilsTongue has been deployed in highly targeted cyberattacks against more than 100 individuals across countries such as Palestine, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia, and Singapore. The victims encompass a wide array of profiles, including politicians, human rights defenders, journalists, academics, embassy workers, and political dissidents. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/microsoft-israeli-firm-used-windows-zero-days-to-deploy-spyware/?utm_source=openai))
Infection Mechanisms
DevilsTongue employs a variety of sophisticated infection vectors to infiltrate target systems. These methods include spear-phishing campaigns that entice victims to click on malicious links, strategic watering hole attacks that compromise websites frequently visited by the targets, and the use of weaponized documents that exploit vulnerabilities in popular software. Notably, the spyware has been delivered through zero-day vulnerabilities in widely used browsers such as Google Chrome and Microsoft Internet Explorer. For instance, in 2021, exploits targeting Chrome’s CVE-2021-21166 and Internet Explorer’s CVE-2021-33742 were utilized to deliver DevilsTongue payloads via single-use URLs and embedded ActiveX objects. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/chrome-zero-day-used-to-infect-journalists-with-candiru-spyware/?utm_source=openai))
Technical Capabilities
Once installed, DevilsTongue establishes a persistent and covert presence on the infected device. The malware is capable of a wide range of espionage activities, including:
– Data Exfiltration: Collecting and transmitting files, documents, and other sensitive information from the victim’s device.
– Credential Theft: Extracting login credentials and cookies from browsers such as Chrome, Firefox, Safari, and Opera, enabling unauthorized access to the victim’s online accounts.
– Communication Interception: Decrypting and exfiltrating messages from encrypted messaging applications like Signal, thereby compromising private communications.
– Surveillance: Activating the device’s webcam and microphone to monitor and record audio and visual data without the user’s knowledge.
– Persistence Mechanisms: Utilizing advanced techniques to maintain a foothold on the device, including the use of signed drivers to achieve kernel-level access and the hijacking of legitimate COM class registry keys to load malicious libraries. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/microsoft-israeli-firm-used-windows-zero-days-to-deploy-spyware/?utm_source=openai))
Global Impact and Infrastructure
The global reach of DevilsTongue is underscored by its extensive command-and-control (C2) infrastructure. Citizen Lab identified over 750 domains associated with Candiru’s spyware operations, many of which masquerade as legitimate organizations, including media outlets and advocacy groups such as Amnesty International and the Black Lives Matter movement. This deceptive infrastructure facilitates the widespread deployment and management of the spyware across various regions. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/microsoft-israeli-firm-used-windows-zero-days-to-deploy-spyware/?utm_source=openai))
Financial Aspects
The deployment of DevilsTongue is a costly endeavor, with pricing structures reflecting the spyware’s advanced capabilities and the exclusivity of its clientele. Leaked documents obtained by Citizen Lab reveal that a standard package is priced at €16 million, allowing for an unlimited number of infection attempts but the monitoring of only 10 devices simultaneously. Additional fees are required to expand the number of devices under surveillance or to extend operations into additional countries. For example, an extra €1.5 million permits the monitoring of 15 additional devices and operations in one more country, while €5.5 million allows for 25 more devices and espionage activities in five additional countries. ([threatpost.com](https://threatpost.com/windows-zero-days-israeli-spyware-dissidents/167865/?utm_source=openai))
Ethical and Legal Considerations
The use of spyware like DevilsTongue raises significant ethical and legal questions, particularly concerning privacy rights and the potential for abuse. While Candiru claims to sell its products exclusively to government agencies for law enforcement and intelligence purposes, reports indicate that the spyware has been used against individuals who are not involved in criminal activities, including journalists and human rights activists. This misuse highlights the potential for such tools to be employed in suppressing dissent and infringing upon civil liberties. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/microsoft-israeli-firm-used-windows-zero-days-to-deploy-spyware/?utm_source=openai))
Mitigation and Response
In response to the threats posed by DevilsTongue, major technology companies have taken steps to mitigate its impact. Microsoft, for instance, released patches for the zero-day vulnerabilities exploited by the spyware, specifically CVE-2021-31979 and CVE-2021-33771, as part of their July 2021 security updates. These patches aim to close the security gaps that DevilsTongue leveraged to infiltrate systems. Additionally, Microsoft has implemented protections against the malware in its security products and has shared these measures with the broader security community to enhance collective defense efforts. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/microsoft-israeli-firm-used-windows-zero-days-to-deploy-spyware/?utm_source=openai))
Conclusion
The emergence and deployment of DevilsTongue underscore the evolving nature of cyber threats and the increasing sophistication of spyware tools available to government entities. The global scale of its impact, coupled with its advanced technical capabilities, highlights the pressing need for robust cybersecurity measures and vigilant monitoring to protect individuals and organizations from such invasive surveillance activities. As the cybersecurity community continues to respond to these challenges, collaboration and information sharing remain critical components in the ongoing effort to safeguard digital privacy and security.
