Microsoft Threat Intelligence Center (MSTIC) has described a campaign by a so-called private-sector offensive actor or PSOA whom the tech giant has been behind-the-scenes dealing with for a while.
With the help of Citizen Lab researchers, Microsoft managed to trace the threat to Sourgum, a company that sells cyberweapons and malware. One of the malware families linked to Sourgum is DevilsTongue which Microsoft saw used in the present campaign. So far, researchers have counted over 100 victims:
“The weapons […] were being used in precision attacks targeting more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents,” Microsoft said in a report.
Approximately half of the DevilsTongue victims are in Palestine. Some victims have also been traced back to Israel, Iran, Spain/Catalonia, and the United Kingdom.
According to Citizen Labs, Sourgum is an Israeli startup that counts various government agencies around the world as its customers.
Jointly with Citizen Lab, Microsoft has analyzed a unique malware family developed by Sourgum and pushed fixes for bugs it exploited, namely the previously unknown vulnerabilities CVE-2021-31979 and CVE-2021-33771.
In addition, Microsoft has issued a warning that the threat actor targets Windows PCs and browsers in order to deliver DevilsTongue.
One of the initial attack stages involves sending browser exploits to a targeted audience through malicious URLs, Microsoft said. The DevilsTongue modular malware is described as having complex and novel capabilities. According to Microsoft, DevilsTongue is a tool that can be used to perform various nefarious acttivities, such as .DLL hijacking, COM hijacking, shellcode deployment, file collection, registry tampering, and cookie theft.
“We take these threats seriously and have moved swiftly alongside our partners to build in the latest protections for our customers,” Microsoft assured, and added:
“We’re providing this guidance with the expectation that Sourgum will likely change the characteristics we identify for detection in their next iteration of the malware. Given the actor’s level of sophistication, however, we believe that outcome would likely occur irrespective of our public guidance.”