The Microsoft Threat Intelligence Center( MSTIC) alongside the Microsoft Security Response Center( MSRC) has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits( CVE-2 021 -3 1979 and CVE-2 021 -3 3771 ).
Private-sector offensive performers are private corporations that fabricate and sell cyberweapons in hacking-as-a-service packages, often to government agencies various regions of the world, to hack into their targets’ computers, telephones, network infrastructure, and other machines. With these hacking packages, typically the government agencies choose the targets and run the actual procedures themselves. The tools, tactics, and procedures used by these companies only adds to the complexity, scale, and sophistication of attacks. We take these threats seriously and have moved swiftly alongside our partners to build in the latest protections for our customers.
MSTIC believes SOURGUM is an Israel-based private-sector offensive actor. We would like to thank the Citizen Lab, at the University of Toronto’s Munk School, for sharing the sample of malware that initiated the present working and their collaboration during the investigation. In their blog, Citizen Lab declares with high confidence that SOURGUM is an Israeli company usually known as Candiru. Third-party reports indicate Candiru makes “hacking tools[ that] are used to break into computers and servers”.
As we shared in the Microsoft on the Issue blog, Microsoft and Citizen Lab have worked together to disable the malware being used by SOURGUM that targeted more than 100 victims around the world including politicians, human rights activists, writers, academics, embassy employees, and political dissidents. To limit these attacks, Microsoft has created and built protections into our products against this unique malware, which we are calling DevilsTongue. We have shared these protections with the security community so that we can collectively address and mitigate this menace. We have also issued a software update that will protect Windows patrons from the associated exploits that the actor used to help deliver its highly sophisticated malware.
Media reports( 1, 2, 3) have shown that PSOAs often sell Windows exploits and malware in hacking-as-a-service packages to government agencies. Agency in Uzbekistan, United Arab Emirates, and Saudi Arabia are among the list of Candiru’s alleged previous patrons. These bureaux, then, likely select whom to target and operate the cyberoperations themselves.
Microsoft has identified over 100 victims of SOURGUM’s malware, and these victims are as geographically diverse as expected to be completed when varied government agencies are believed to be selecting the targets. Approximately half of the victims were found in Palestinian Authority, with most of the remaining victims located in Israel, Iran, Lebanon, Yemen, Spain( Catalonia ), United Kingdom, Turkey, Armenia, and Singapore. To be clear, the identification of victims of the malware in a country doesn’t inevitably mean that an agency in that country is a SOURGUM customer, as international targeting is common.
Any Microsoft 365 Defender and Microsoft Defender for Endpoint alarms containing detecting epithets for the DevilsTongue malware name are signs of compromise by SOURGUM’s malware. We have included a comprehensive list of detection names below for customers to perform additional hunting in their environments.
SOURGUM appears to use a chain of browser and Windows exploits, including 0-days, to install malware on victim containers. Browser exploits appear to be served via single-use URLs sent to targets on messaging applications such as WhatsApp.
During the investigation, Microsoft discovered two Windows 0-day exploits for vulnerabilities tracked as CVE-2 021 -3 1979 and CVE-2 021 -3 3771, both of which have been fixed in the July 2021 security updates. These vulnerabilities allow privilege escalation, giving an attacker the ability to escape browser sandboxes and gain kernel code executing. If clients have taken the July 2021 security update, they are protected from these exploits.
CVE-2 021 -3 1979 sets an integer overflow within Windows NT-based operating system( NTOS ). This overflow results in an incorrect buffer sizing being calculated, which is then used to allocate a buffer in the kernel pool. A buffer overflow subsequently occurs while copying memory to the smaller-than-expected destination buffer. This vulnerability is impossible to leveraged to debase an object in an adjacent memory allocation. Using APIs from user mode, the kernel pond memory layout is impossible to groomed with controlled apportionings, resulting in an object being placed in the adjacent memory locating. Once corrupted by the buffer overflow, this object can be turned into a consumer mode to kernel mode read/ write primitive. With these primitives in place, an attacker can then elevate their privileges.
CVE-2 021 -3 3771 addresses a race situation within NTOS resulting in the use-after-free of a kernel object. By using multiple racing weaves, the kernel object can be freed, and the absolve recollection reclaimed by a controllable object. Like the previous vulnerability, the kernel pool memory is impossible to sprayed with allocations utilizing customer mode APIs with the hopes of landing an object allocation within the recently freed remembrance. If successful, the controllable object can be used to form a customer mode to kernel mode read/ write primitive and elevate privileges.
DevilsTongue is a complex modular multi-threaded part of malware written in C and C ++ with several novel capabilities. Analysis is still on-going for some components and capabilities, but we’re sharing our present understanding of the malware so defenders can use this intelligence to protect networks and so other researchers can is built around our analysis.
For files on disk, PDB paths and PE timestamps are scrubbed, strings and configs are encrypted, and each file has a unique hash. The main functionality resides in DLLs that are encrypted on disk and simply decrypted in recollection, attaining detecting more difficult. Configuration and duty data is separate from the malware, which makes analysis harder. DevilsTongue has both consumer mode and kernel mode abilities. There are several fiction detection deception mechanisms built in. All these features are evidence that SOURGUM developers are very professional, have extensive experience writing Windows malware, and have a good understanding of operational security.
When the malware is installed, a first-stage’ hijack’ malware DLL is to decline in a subfolder of C :\ Windows \ system3 2 \ IME \; the folders and epithets of the hijack DLLs blend with legitimate names in the \ IME \ directories. Encrypted second-stage malware and config files are dropped into subfolders of C :\ Windows \ system3 2 \ config \ with a. dat file extension. A third-party legitimate, signed driver physmem.sys is dropped to the system3 2 folder. A file called WimBootConfigurations.ini is also dropped; this file has the command for following the COM hijack. Finally, the malware adds the hijack DLL to a COM class registry key, overwriting the legitimate COM DLL path that was there, achieving persistence via COM hijacking.
From the COM hijacking, the DevilsTongue first-stage hijack DLL gets loaded into a svchost.exe process to run with SYSTEM permissions. The COM hijacking technique means that the original DLL that was in the COM registry key isn’t loaded. This can transgress system functionality and trigger an investigation that could lead to the discovery of the malware, but DevilsTongue employs an interesting technique to avoid this. In its DllMain function it calls LoadLibrary on the original COM DLL so it is correctly loaded into the process. DevilsTongue then searches the bellow stack to find the return address of LoadLibraryExW( i.e ., the role currently loading the DevilsTongue DLL ), which would usually return the base address of the DevilsTongue DLL.
Once the LoadLibraryExW return address has been detected, DevilsTongue allocates a small buffer with shellcode that throws the COM DLL’s base address( imecfmup. 7FFE49060000 in Figure 1) into the rax register and then hops to the original return address of LoadLibraryExW( svchost. 7FF78E903BFB in Figures 1 and 2 ). In Figure 1 the COM DLL is named imecfmup rather than a legitimate COM DLL epithet because some DevilsTongue samples facsimile the COM DLL to another location and renamed it.
Figure 1. DevilsTongue return address modification shellcode
DevilsTongue then swaps the original LoadLibraryExW return address on the stack with the address of the shellcode so that when LoadLibraryExW returns it does so into the shellcode( Figures 2 and 3 ). The shellcode supplants the DevilsTongue base address in rax with the COM DLL’s base address, building it look like LoadLibraryExW has returned the COM DLL’s address. The svchost.exe host process now uses the returned COM DLL base address as it typically would.
Figure 2. Call stack before stack barter, LoadLibraryExW in kernelbase returning to svchost.exe( 0x7FF78E903BFB)
Figure 3. Call stack after stack barter, LoadLibraryExW in kernelbase returning to the shellcode address( 0x156C51E0000 from Figure 1)
This technique ensures that the DevilsTongue DLL is loaded by the svchost.exe process, devoting the malware persistence, but that the legitimate COM DLL is also loaded correctly so there’s no noticeable change in functionality on the victim’s systems.
After this, the hijack DLL then decrypts and loads a second-stage malware DLL from one of the encrypted. dat files. The second-stage malware decrypts another. dat file that contains multiple helper DLLs that it relies on for functionality.
DevilsTongue has standard malware abilities, including file collecting, registry querying, running WMI commands, and querying SQLite databases. It’s capable of stealing victim credentials from both LSASS and from browsers, such as Chrome and Firefox. It also has dedicated functionality to decrypt and exfiltrate conversations from the Signal messaging app.
It can retrieve cookies from a variety of web browsers. These pilfer cookies can later be used by the attacker to sign in as the main victims to websites to enable further information gathering. Cookies can be collected from these routes (* is a wildcard to match any folders ):
% LOCALAPPDATA %\ Chromium \ User Data \*\ Cookies %LOCALAPPDATA%\Google\Chrome\User Data \*\ Cookies %LOCALAPPDATA%\Microsoft\Windows\INetCookies% LOCALAPPDATA %\ Packages \*\ AC \*\ MicrosoftEdge \ Cookies %LOCALAPPDATA%\UCBrowser\User Data_i18n\*\Cookies.9% LOCALAPPDATA %\ Yandex \ YandexBrowser \ User Data \*\ Cookies %APPDATA%\Apple Computer \ Safari \ Cookies \ Cookies.binarycookies %APPDATA%\Microsoft\Windows\Cookies% APPDATA %\ Mozilla \ Firefox \ Profiles \*\ cookies.sqlite %APPDATA%\Opera Software \ Opera Stable \ Cookies
Alongside DevilsTongue a third-party signed motorist is fallen to C :\ Windows \ system3 2 \ physmem.sys. The driver’s description is “Physical Memory Access Driver, ” and it appears to offer a “by-design” kernel read/ write ability. This appears to be abused by DevilsTongue to proxy certain API calls via the kernel to hinder detection, including the capability to have some of the calls appear from other procedures. Functions capable of being proxied include CreateProcessW, VirtualAllocEx, VirtualProtectEx, WriteProcessMemory, ReadProcessMemory, CreateFileW and RegSetKeyValueW.
Prevention and detecting
To prevent compromise from browser exploits, it’s recommended to use an isolated environment, such as a virtual machine, when opening connections from untrusted parties. Use a modern version of Windows 10 with virtualization-based protections, such as Credential Guard, avoids DevilsTongue’s LSASS credential-stealing capabilities. Enabling the attack surface reduction rule “Block abuse of exploited vulnerable signed motorists” in Microsoft Defender for Endpoint blocks the driver that DevilsTongue employs. Network protection blocks known SOURGUM domains.
This section is intended to serve as a non-exhaustive guide to help customers and peers in the cybersecurity industry to detect the DevilsTongue malware. We’re providing this guidance with the expectation that SOURGUM will likely change the characteristics we recognize for detection in their next iteration of the malware. Given the actor’s level of sophistication, nonetheless, we believe that outcome would likely occur irrespective of our public guidance.
The hijack DLLs are in subfolders of \ system3 2 \ ime \ with epithets starting with’ im’. However, they are blended with legitimate DLLs in those folders. To distinguish between the malicious and benign, the legitimate DLLs are signed( on Windows 10) whereas the DevilsTongue files aren’t. Example paths 😛 TAGEND
The DevilsTongue configuration files, which are AES-encrypted, are in subfolders of C :\ Windows \ system3 2 \ config \ and have a. dat expansion. The exact paths are victim-specific, although some folder names are common across victims. As the files are AES-encrypted, any files whose sizing mod 16 is 0 can be considered as a possible malware config file. The config files are always in new folders , not the legitimate existing folders( e.g ., on Windows 10, never in \ Journal, \ systemprofile, \ TxR etc .). Example paths 😛 TAGEND
C :\ Windows \ system3 2 \ config \ spp \ ServiceState \ Recovery \ pac.dat C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat C :\ Windows \ system3 2 \ config \ config \ startwus.dat
Commonly reused folder names in the config file tracks 😛 TAGEND
spp SKB curv networklist Licenses InputMethod Recovery
The Physmem driver is dropped into system3 2 😛 TAGEND
The two COM keys that have been observed being hijacked for persistence are listed below with their default clean values. If their default value DLL is in the \ system3 2 \ ime \ folder, the DLL is likely DevilsTongue.
HKLM \ SOFTWARE \ Classes \ CLSID \ CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA \ InprocServer3 2=% systemroot %\ system3 2 \ wbem \ wmiutils.dll( clean default value) HKLM\SOFTWARE\Classes\CLSID\7C857801-7381-11CF-884D-00AA004B2E24\InProcServer32=% systemroot %\ system3 2 \ wbem \ wbemsvc.dll( clean default value)
File content and characteristics
This Yara rule can be used to find the DevilsTongue hijack DLL 😛 TAGEND
import “pe” rule DevilsTongue_HijackDll meta: description= “Detects SOURGUM’s DevilsTongue hijack DLL” author= “Microsoft Threat Intelligence Center( MSTIC) ” date= “2 021 -0 7-15” strings:$ str1= “windows.old \\ windows” wide $str2= “NtQueryInformationThread” $str3= “dbgHelp.dll” wide $str4= “StackWalk6 4” $str5= “ConvertSidToStringSidW” $str6= “S-1- 5-18” wide $str7= “SMNew.dll” // DLL original epithet // Call check in stack manipulation // B8 FF 15 00 00 mov eax, 15 FFh // 66 39 41 FA cmp[ rcx-6 ], ax // 74 06 jz short loc_1 800042 B9 // 80 79 FB E8 cmp byte ptr[ rcx-5 ], 0E8h; ‘e’ $code1= B8 FF 15 00 00 66 39 41 FA 74 06 80 79 FB E8 // PRNG to generate number of period to sleep 1s before exiting // 44 8B C0 mov r8d, eax // B8 B5 81 4E 1B mov eax, 1B4E81B5h // 41 F7 E8 imul r8d // C1 FA 05 sar edx, 5 // 8B CA mov ecx, edx // C1 E9 1F shr ecx, 1Fh // 03 D1 add edx, ecx // 69 CA 2C 01 00 00 imul ecx, edx, 12 Ch // 44 2B C1 sub r8d, ecx // 45 85 C0 test r8d, r8d // 7E 19 jle short loc_1 800014 D0 $code2= 44 8B C0 B8 B5 81 4E 1B 41 F7 E8 C1 FA 05 8B CA C1 E9 1F 03 D1 69 CA 2C 01 00 00 44 2B C1 45 85 C0 7E 19 condition: filesize< 800 KB and uint16(0) == 0x5A4D and (pe.characteristics& pe.DLL) and( 4 of them or ($code1 and$ code2) or (pe.imphash() == "9a 964 e810949704ff7b4a393d9adda60"))
Microsoft Defender Antivirus detections
Microsoft Defender for Endpoint alarms
COM Hijacking Possible theft of sensitive web browser information Theft SSO cookies
Azure Sentinel query
Indicators of compromise( IOCs)
Note that this driver may be used legitimately, but if it’s seen on path C :\ Windows \ system3 2 \ physmem.sys then it is a high-confidence indicator of DevilsTongue activity. The hashes below are given for the one motorist observed in use.
MD5: a0e2223868b6133c5712ba5ed20c3e8a SH-A1: 17614 fdee3b 89272 e99758983b99111cbb1b312c SH-A256: c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d
noc-service-streamer [.] com fbcdnads[.]live hilocake [.] info backxercise[.]com winmslaf [.] xyz service-deamon[.]com online-affiliate-mon [.] com codeingasmylife[.]com kenoratravels [.] com weathercheck[.]digital colorpallatess [.] com library-update[.]com online-source-validate [.] com grayhornet[.]com johnshopkin [.] net eulenformacion[.]com pochtarossiy [.] info