Avast recently discovered a zero-day vulnerability in Google Chrome (CVE-2022-2294) when it was exploited in the wild in an attempt to attack Avast users in the Middle East in a highly targeted way. Specifically, the Avast Threat Intelligence team found out that in Lebanon, journalists were among the targeted parties, and further targets were located in Turkey, Yemen, and Palestine. The Avast Threat Intelligence team reported this vulnerability to Google, who patched it on July 4, 2022.
Based on the malware and tactics used to carry out the attack, the Avast researchers attributed it to a secretive spyware vendor most commonly known as Candiru. Via this attack, a profile of the victim’s browser, consisting of about 50 data points, is collected and sent to the attackers. The collected information includes the victim’s language, timezone, screen information, device type, browser plugins, referrer, device memory, cookie functionality, and more, likely to further protect the exploit and to make sure that it only gets delivered to the targeted victims. If the collected data turns out to be what the attackers looked for, the zero-day exploit is delivered to the victim’s machine via an encrypted channel. After the attackers get onto the machine, a malicious payload known as DevilsTongue is delivered attempting to escalate the machine’s privileges in order to get into the kernel using another zero-day exploit.
“In Lebanon, the attackers seem to have compromised a website used by employees of a news agency. We can’t say for sure what the attackers might have been after, however often the reason why attackers go after journalists is to spy on them and the stories they’re working on directly, or to get to their sources and gather compromising information and sensitive data they shared with the press. An attack like this could pose a threat for press freedom.“