baran 0 Posted November 6, 2021 Posted November 6, 2021 What is the name of candiru (spyware) malware detected by eset antivirus? No documents found on the sites.(virus total ,....)
itman 1,807 Posted November 6, 2021 Posted November 6, 2021 (edited) Question is if Eset even detects this Israeli spyware. It is only sold to governments for surveillance purposes. Here's an in depth article on Candiru: https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ . Also of note is the U.S. government recently blacklisted them: https://www.haaretz.com/israel-news/u-s-says-israeli-cyberware-firms-nso-candiru-harm-national-security-and-interests-1.10350660 If the following registry key hasn't been modified, you are not infected with it: Quote Persistence Candiru’s spyware was persistently installed on the computer via COM hijacking of the following registry key: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Normally, this registry key’s value points to the benign Windows Management Instrumentation wmiutils.dll file, but the value on the infected computer had been modified to point to a malicious DLL file that had been dropped inside the Windows system folder associated with the Japanese input method (IMEJP) C:\WINDOWS\system32\ime\IMEJP\IMJPUEXP.DLL. This folder is benign and included in a default install of Windows 10, but IMJPUEXP.DLL is not the name of a legitimate Windows component. When Windows boots, it automatically loads the Windows Management Instrumentation service, which involves looking up the DLL path in the registry key, and then invoking the DLL. Edited November 6, 2021 by itman
itman 1,807 Posted November 6, 2021 Posted November 6, 2021 (edited) Microsoft also has an article on this spyware with the following comment: Quote Physmem driver Note that this driver may be used legitimately, but if it’s seen on path C:\Windows\system32\drivers\physmem.sys then it is a high-confidence indicator of DevilsTongue activity. The hashes below are provided for the one driver observed in use. MD5: a0e2223868b6133c5712ba5ed20c3e8a SHA-1: 17614fdee3b89272e99758983b99111cbb1b312c SHA-256: c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d Also, you're never going to find file hashes for the binaries used by this spyware: Quote Indicators of compromise (IOCs) No malware hashes are being shared because DevilsTongue files, except for the third part driver, all have unique hashes, and therefore, are not a useful indicator of compromise. https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ Therefore, lookup of this spyware binaries on sites such as VirusTotal will yield no results. That is, signature detection of this spyware is a moot point. Edited November 6, 2021 by itman
itman 1,807 Posted November 17, 2021 Posted November 17, 2021 As far as Eset's awareness of this spyware, Eset just published a blog post on it here: https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/ Appears it was not possible to create a signature for the actual payload involved because: Quote We were unable to get an exploit and the final payload. This shows that the operators choose to narrow the focus of their operations and that they don’t want to burn their zero-day exploits.
Recommended Posts