Candiru, an Israeli-based spyware vendor, is actively deploying a sophisticated malware infrastructure across multiple countries, targeting high-value individuals including politicians, journalists, and business leaders with its DevilsTongue spyware. This advanced threat to Windows users has established eight distinct operational clusters in nations such as Hungary, Saudi Arabia, Indonesia, and Azerbaijan, highlighting the global reach of this mercenary cyber tool.
The DevilsTongue spyware is described as a highly dangerous cyber threat due to its combination of advanced evasion techniques and extensive surveillance capabilities. It leverages multiple infection vectors, including zero-day vulnerabilities in web browsers and weaponized documents, to compromise target systems. Once installed, the spyware operates covertly, stealing sensitive information while remaining virtually undetectable by standard security tools.
Candiru’s DevilsTongue Spyware Targets Vulnerable Users Globally
Security analysts at Recorded Future have identified new infrastructure linked to Candiru’s operational clusters. Their investigation revealed significant variations in how different groups manage their victim-facing systems. Some clusters operate directly, while others employ intermediary layers or the Tor network for command and control. This adaptability demonstrates Candiru’s continuous efforts to enhance its operational security, even after facing international sanctions from the U.S. Department of Commerce in November 2021.
The commercial nature of DevilsTongue is further emphasized by its licensing model. Leaked project proposals indicate that Candiru charges clients based on the number of concurrent infections. A base contract, starting at €16 million, allows for unlimited infection attempts with ten concurrent devices monitored. Additional fees are associated with expanded capacity and broader geographic coverage, making it an attractive, albeit costly, solution for government clients with substantial surveillance budgets.
Technical Persistence and Evasion Mechanisms of DevilsTongue
DevilsTongue employs sophisticated technical persistence and evasion mechanisms to maintain a foothold on infected Windows systems. A key technique involves COM hijacking, where legitimate COM class registry keys are overwritten to redirect execution to a first-stage DLL located in the `C:Windowssystem32IME` directory. This placement cleverly disguises malicious activity within a legitimate system folder.
Further aiding its stealth, the malware utilizes a signed third-party driver, `physmem.sys`, to gain kernel-level memory access. This capability allows DevilsTongue to proxy API calls and bypass detection mechanisms that rely on standard user-mode monitoring. During the COM hijacking process, the malware meticulously restores the original COM DLL through shellcode manipulation of the `LoadLibraryExW` return value. This ensures system stability and minimizes the risk of triggering security alerts.
All subsequent payloads are designed to remain encrypted and execute exclusively in memory. This in-memory execution prevents forensic analysis and makes it exceedingly difficult to recover malicious components. The malware’s capabilities extend to extracting credentials from critical system processes like LSASS, as well as from web browsers and messaging applications like Signal Messenger. Before exfiltration, DevilsTongue employs techniques such as metadata scrubbing and unique file hashing to cover its tracks, further complicating attribution and investigation efforts.
The ongoing evolution and deployment of the DevilsTongue spyware underscore the persistent threat posed by sophisticated mercenary cyber operations. As Candiru continues to adapt its infrastructure and techniques, organizations and governments worldwide must remain vigilant and bolster their defenses against these advanced surveillance tools. The discovery of these operational clusters serves as a stark reminder of the need for robust cybersecurity measures and international cooperation to counter such threats.