candiru spyware

[baran 0]

What is the name of candiru (spyware) malware detected by eset antivirus?

No documents found on the sites.(virus total ,....)

[itman 1,659]

Question is if Eset even detects this Israeli spyware. It is only sold to governments for surveillance purposes.

Here's an in depth  article on Candiru: https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ .

Also of note is the U.S. government recently blacklisted them: https://www.haaretz.com/israel-news/u-s-says-israeli-cyberware-firms-nso-candiru-harm-national-security-and-interests-1.10350660

If the following registry key hasn't been modified, you are not infected with it:

Quote

Persistence

Candiru’s spyware was persistently installed on the computer via COM hijacking of the following registry key:

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Normally, this registry key’s value points to the benign Windows Management Instrumentation wmiutils.dll file, but the value on the infected computer had been modified to point to a malicious DLL file that had been dropped inside the Windows system folder associated with the Japanese input method (IMEJP) C:\WINDOWS\system32\ime\IMEJP\IMJPUEXP.DLL. This folder is benign and included in a default install of Windows 10, but IMJPUEXP.DLL is not the name of a legitimate Windows component.

When Windows boots, it automatically loads the Windows Management Instrumentation service, which involves looking up the DLL path in the registry key, and then invoking the DLL.

Edited November 6, 2021 by itman

[itman 1,659]

Microsoft also has an article on this spyware with the following comment:

Quote

Physmem driver

Note that this driver may be used legitimately, but if it’s seen on path C:\Windows\system32\drivers\physmem.sys then it is a high-confidence indicator of DevilsTongue activity. The hashes below are provided for the one driver observed in use.

• MD5: a0e2223868b6133c5712ba5ed20c3e8a
• SHA-1: 17614fdee3b89272e99758983b99111cbb1b312c
• SHA-256: c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d

Also, you're never going to find file hashes for the binaries used by this spyware:

Quote

Indicators of compromise (IOCs)

No malware hashes are being shared because DevilsTongue files, except for the third part driver, all have unique hashes, and therefore, are not a useful indicator of compromise.

https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/

Therefore, lookup of this spyware binaries on sites such as VirusTotal will yield no results. That is, signature detection of this spyware is a moot point.

Edited November 6, 2021 by itman

[itman 1,659]

As far as Eset's awareness of this spyware, Eset just published a blog post on it here: https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/

Appears it was not possible to create a signature for the actual payload involved because:

Quote

We were unable to get an exploit and the final payload. This shows that the operators choose to narrow the focus of their operations and that they don’t want to burn their zero-day exploits.