Spyware toolkit used by governments, hackers to break into Windows machines

Spyware as a service?

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityexperts have shared details about a mercenary spyware vendor that exploited at least a couple of zero-day vulnerabilities, whichMicrosoftpatched in theJuly Patch Tuesday.

Security experts from Microsoft Threat Intelligence Center (MSTIC) worked together with internet watchdog Citizen Lab to blow the lid off the Israel-basedmercenary spyware company, Candiru, which sells spyware exploit toolkits exclusively to governments.

“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices. With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves,” observes MSTIC ina blog post.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

Click here to start the survey in a new window«

While Citizen Lab directly identifies Candiru as the toolkit author, Microsoft has chosen to refer to it by its code-name Sourgum.

Targeted spyware

MSTIC and Citizen Lab say that Candiru/Sourgum used the zero-day vulnerability to craft amalwaredubbed DevilsTounge.

According to their investigation, DevilTounge infected at least a hundred human rights defenders, dissidents, journalists, activists, and politicians in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore.

Citizen Lab identified a politically active victim in Western Europe and worked with it to recover a copy of DevilsTounge, which led to the discovery of the now-patched privilege escalation vulnerabilities, specifically tracked as CVE-2021-31979 and CVE-2021-33771.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

According to MSTIC’s breakdown of the spyware, in addition to standard malware capabilities including exfiltrating files, credentials, and other sensitive information, DevilsTounge is also designed to decrypt and exfiltrate conversations from theSignalmessaging app, the preferred means of communication by activists to circumvent snooping.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

We might have our first look at the long-rumored Samsung tri-fold