The spyware vendor from Israel, Candiru, was discovered abusing a Google Chrome vulnerability to spy on journalists and high-interest individuals from the Middle East, using a spyware called DevilsTongue.

The abuse of zero-day

Avast researchers spotted the vulnerability and reported it to Google. Further, they disclosed the details after examining DevilsTongue attacks on their clients.
  • Candiru started abusing the Google Chrome zero day vulnerability in March and targeting users in Palestine, Turkey, Yemen, and Lebanon.
  • The flaw, tracked as CVE-2022-2294, is a high-severity heap-based buffer overflow in WebRTC. Its successful exploitation may lead to code execution on the targeted device.
  • The tech firm patched the exploited Google Chrome vulnerability on July 4.
  • Since the bug exists in WebRTC, it also impacts Safari browser, however, the exploit found works on Windows.

Attack vectors

The spyware operators have used watering holes and spear-phishing tactics in their attacks.
  • This attack requires no interaction with the victim, such as clicking on a link or downloading a file. 
  • Instead, a user is made to open an already compromised website or the one created by hackers in a Chromium-based browser or Chrome. 
  • In one instance, the attackers infected a website used by a news agency in Lebanon and inserted JavaScript snippets to enable XSS attacks, and redirected targets to the exploit server.
  • In the Lebanon case, the chrome zero day vulnerability allowed shellcode execution inside a renderer process and further chained with a sandbox escape flaw that Avast failed to recover for investigation.

What was the target?

After the initial infection, the DevilsTongue spyware used a BYOVD (bring your own driver) step to elevate privileges and achieve read and write rights to the infected device's memory. Researchers believe the cybercriminals used the spyware to learn about what news stories the targeted journalists are working on.


The recent report sheds light on the dangers of services offered by commercial spyware vendors. These vendors are developing or buying zero-day exploits, including Google Chrome vulnerability, to target people asked by their clients. Thus, always protect data with powerful encryption and update devices with the latest security updates.
Cyware Publisher