Jump to content

candiru spyware


Recommended Posts

Question is if Eset even detects this Israeli spyware. It is only sold to governments for surveillance purposes.

Here's an in depth  article on Candiru: https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ .

Also of note is the U.S. government recently blacklisted them: https://www.haaretz.com/israel-news/u-s-says-israeli-cyberware-firms-nso-candiru-harm-national-security-and-interests-1.10350660

If the following registry key hasn't been modified, you are not infected with it:



Candiru’s spyware was persistently installed on the computer via COM hijacking of the following registry key:


Normally, this registry key’s value points to the benign Windows Management Instrumentation wmiutils.dll file, but the value on the infected computer had been modified to point to a malicious DLL file that had been dropped inside the Windows system folder associated with the Japanese input method (IMEJP) C:\WINDOWS\system32\ime\IMEJP\IMJPUEXP.DLL. This folder is benign and included in a default install of Windows 10, but IMJPUEXP.DLL is not the name of a legitimate Windows component.

When Windows boots, it automatically loads the Windows Management Instrumentation service, which involves looking up the DLL path in the registry key, and then invoking the DLL.

Edited by itman
Link to comment
Share on other sites

Microsoft also has an article on this spyware with the following comment:


Physmem driver

Note that this driver may be used legitimately, but if it’s seen on path C:\Windows\system32\drivers\physmem.sys then it is a high-confidence indicator of DevilsTongue activity. The hashes below are provided for the one driver observed in use.

  • MD5: a0e2223868b6133c5712ba5ed20c3e8a
  • SHA-1: 17614fdee3b89272e99758983b99111cbb1b312c
  • SHA-256: c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d

Also, you're never going to find file hashes for the binaries used by this spyware:


Indicators of compromise (IOCs)

No malware hashes are being shared because DevilsTongue files, except for the third part driver, all have unique hashes, and therefore, are not a useful indicator of compromise.


Therefore, lookup of this spyware binaries on sites such as VirusTotal will yield no results. That is, signature detection of this spyware is a moot point.

Edited by itman
Link to comment
Share on other sites

  • 2 weeks later...

As far as Eset's awareness of this spyware, Eset just published a blog post on it here: https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/

Appears it was not possible to create a signature for the actual payload involved because:


We were unable to get an exploit and the final payload. This shows that the operators choose to narrow the focus of their operations and that they don’t want to burn their zero-day exploits.


Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...