Pierluigi Paganini
March 29, 2023
Google’s Threat Analysis Group (TAG) shared details about two distinct campaigns which used several zero-day exploits against Android, iOS and Chrome. The experts pointed out that both campaigns were limited and highly targeted. The threat actors behind the attacks used both zero-day and n-day exploits in their exploits.
The exploit chains were used to install commercial spyware and malicious apps on targets’ devices.
The first campaign was spotted in November 2022, the exploit chains discovered by TAG researchers were affecting Android and iOS and were delivered via bit.ly links sent over SMS to users. The campaign aimed at users in Italy, Malaysia, and Kazakhstan. Once clicked the links, targets are initially redirected to pages hosting exploits for either Android or iOS, then redirected to legitimate websites (e.g. Italian-based shipment and logistics company BRT, or a popular Malaysian news website).
The initial landing page was observed hosting the exploits for a WebKit remote code execution zero-day (CVE-2022-42856) and a sandbox escape (CVE-2021-30900) issue.
In this campaign, the final payload was a simple stager that pings back the GPS location of the device and allows to install an .IPA file (iOS application archive) onto the affected device.
The Android exploit chain in the first campaign targeted users on phones with an ARM GPU running Chrome versions prior to 106. The exploit chain consisted of three exploits, including one 0-day:
“We were unable to obtain the final payload for this exploit chain.” reads the post published Google TAG. “When ARM released a fix for CVE-2022-38181, patches were not immediately incorporated by vendors, resulting in the bugs exploitation. This was recently highlighted by blog posts from Project Zero and Github Security Lab.”
The second campaign was spotted in December 2022 when the researchers discovered an exploit chain targeting the latest version of the Samsung Internet Browser using multiple zero-days and n-days.
The victims of the attack were people in the United Arab Emirates (UAE) that were targeted by Variston commercial spyware. The attackers used one-time links sent via SMS to targets’ devices.
The link directed users to a landing page that is the same TAG examined in the Heliconia framework developed by Variston. The exploit chain delivered a fully featured Android spyware suite written in C++ that was able to steal data from various chat and browser applications. Experts believe that the threat actor could be a customer or partner of Variston, or a third-party working closely with the spyware vendor.
The exploit chain included the following 0-days and n-days:
Google TAG shared indicators of compromise (IoCs) for both campaigns.
“These campaigns are a reminder that the commercial spyware industry continues to thrive. Even smaller surveillance vendors have access to 0-days, and vendors stockpiling and using 0-day vulnerabilities in secret pose a severe risk to the Internet.” concludes the report. “These campaigns may also indicate that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools. We remain committed to updating the community, and taking steps to protect users, as we uncover these campaigns.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, exploit chains)
