Spyware vendors use 0-days and n-days against popular platforms

In December 2022, TAG discovered a complete exploit chain consisting of multiple 0-days and n-days targeting the latest version of Samsung Internet Browser. The exploits were delivered in one-time links sent via SMS to devices located in the United Arab Emirates (UAE).

The link directed users to a landing page identical to the one TAG examined in the Heliconia framework developed by commercial spyware vendor Variston. The exploit chain ultimately delivered a fully featured Android spyware suite written in C++ that includes libraries for decrypting and capturing data from various chat and browser applications. The actor using the exploit chain to target UAE users may be a customer or partner of Variston, or otherwise working closely with the spyware vendor.

The exploit chain TAG recovered was delivered to the latest version of Samsung’s Browser, which runs on Chromium 102 and does not include recent mitigations. If they had been in place, the attackers would have needed additional vulnerabilities to bypass the mitigations. The exploit chain consisted of multiple 0-days and n-days:

CVE-2022-4262, a type confusion vulnerability in Chrome fixed in December 2022 (0-day at time of exploitation) – similar to CVE-2022-1134.
CVE-2022-3038, a sandbox escape in Chrome fixed in August 2022, in version 105 and found by Sergei Glazunov in June 2022.
CVE-2022-22706, a vulnerability in Mali GPU Kernel Driver fixed by ARM in January 2022 and marked as being used in the wild. At the time of delivery, the latest Samsung firmware had not included a fix for this vulnerability. This vulnerability grants the attacker system access.
CVE-2023-0266, a race condition vulnerability in the Linux kernel sound subsystem reachable from the system user and that gives the attacker kernel read and write access (0-day at time of exploitation).

The exploit chain also took advantage of multiple kernel information leak 0-days when exploiting CVE-2022-22706 and CVE-2023-0266. Google reported these vulnerabilities to ARM and Samsung. CVE-2023-26083 was reserved for the information leak in Mali.

Related IOCs

www.sufficeconfigure[.]com – landing page and exploit delivery
www.anglesyen[.]org – malware C2
The following Android system properties might indicate signs of exploitation
- sys.brand.note
- sys.brand.notes
- sys.brand.doc
The following directory on the phone might indicate signs of infection

Source link

Leave a Reply Cancel reply

You must be logged in to post a comment.

Spyware vendors use 0-days and n-days against popular platforms

Share:

Leave a Reply Cancel reply

3 latest news

How Google built generative AI tools for the Chrome browser

Google DeepMind and Isomorphic Labs introduce AlphaFold 3 AI model

The Sky’s the Limit for Paid Search & Social Ads

Archives

Related Posts

How Google built generative AI tools for the Chrome browser

Google DeepMind and Isomorphic Labs introduce AlphaFold 3 AI model

The Sky’s the Limit for Paid Search & Social Ads

How Companies Are Using Meta Llama

Everything We Know About Generative AI Regulation in 2024

INTERESTED?

SOLUTIONS

FOR CUSTOMERS

Weekly Newslatter

Solverwp- WordPress Theme and Plugin