MSTIC uncovered DevilsTongue – malware from an Israeli private-sector developer
The Microsoft Threat Intelligence Center (MSTIC) has recently identified a new threat – DevilsTongue, highly sophisticated malware from the offensive actor, whom MSTIC dubbed SOURGUM.
MSTIC’s report says that private-sector offensive actors like SOURGUM are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, who in their turn use it to hack into computers, network infrastructure, phones, etc.
Microsoft studied this malware together with Citizen Lab from the University of Toronto’s Munk School. The reports on the findings was published on Thursday, July 15. Citizen Lab said it was able to extract identify the malware thanks to the victim who let the researchers analyze their PC.
It was reported that SOURGUM’s DevilsTongue was used for targeted attacks on more than a hundred people in Palestine (about a half of all victims), Iran, Israel, Lebanon, UK, Spain, and other countries. Among the victims there were human rights activists, politicians, journalists, embassy workers, academics, and political dissidents.
Microsoft promptly issued protections against the malware, as well as a Windows software update, aimed at the exploits used for delivering this malware.
According to MSTIC’s report, if you have the July 2021 security update, you are protected from this threat.
In addition to such standard malware capabilities as file collection, running WMI commands, registry querying, and querying SQLite databases, DevilsTongue is capable of stealing victim credentials from browsers (Firefox and Chrome) and LSASS. In addition, DevilsTongue has a special functionality for decrypting and exfiltrating conversations from Signal (a messaging application).
Also, the malware retrieves cookies from multiple web browsers; the attacker may use these cookies to sign in to websites posing as the victim.