Jump to content

candiru spyware

Recommended Posts

What is the name of candiru (spyware) malware detected by eset antivirus?
No documents found on the sites.(virus total ,....)
Link to comment
Share on other sites

Question is if Eset even detects this Israeli spyware. It is only sold to governments for surveillance purposes.

Here's an in depth  article on Candiru: https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ .

Also of note is the U.S. government recently blacklisted them: https://www.haaretz.com/israel-news/u-s-says-israeli-cyberware-firms-nso-candiru-harm-national-security-and-interests-1.10350660

If the following registry key hasn't been modified, you are not infected with it:



Candiru’s spyware was persistently installed on the computer via COM hijacking of the following registry key:


Normally, this registry key’s value points to the benign Windows Management Instrumentation wmiutils.dll file, but the value on the infected computer had been modified to point to a malicious DLL file that had been dropped inside the Windows system folder associated with the Japanese input method (IMEJP) C:\WINDOWS\system32\ime\IMEJP\IMJPUEXP.DLL. This folder is benign and included in a default install of Windows 10, but IMJPUEXP.DLL is not the name of a legitimate Windows component.

When Windows boots, it automatically loads the Windows Management Instrumentation service, which involves looking up the DLL path in the registry key, and then invoking the DLL.

Edited by itman
Link to comment
Share on other sites

Microsoft also has an article on this spyware with the following comment:


Physmem driver

Note that this driver may be used legitimately, but if it’s seen on path C:\Windows\system32\drivers\physmem.sys then it is a high-confidence indicator of DevilsTongue activity. The hashes below are provided for the one driver observed in use.

  • MD5: a0e2223868b6133c5712ba5ed20c3e8a
  • SHA-1: 17614fdee3b89272e99758983b99111cbb1b312c
  • SHA-256: c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d

Also, you're never going to find file hashes for the binaries used by this spyware:


Indicators of compromise (IOCs)

No malware hashes are being shared because DevilsTongue files, except for the third part driver, all have unique hashes, and therefore, are not a useful indicator of compromise.


Therefore, lookup of this spyware binaries on sites such as VirusTotal will yield no results. That is, signature detection of this spyware is a moot point.

Edited by itman
Link to comment
Share on other sites

  • 2 weeks later...

As far as Eset's awareness of this spyware, Eset just published a blog post on it here: https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/

Appears it was not possible to create a signature for the actual payload involved because:


We were unable to get an exploit and the final payload. This shows that the operators choose to narrow the focus of their operations and that they don’t want to burn their zero-day exploits.


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...