Google TAG discovered exploit chains used to install commercial spyware
Two separate operations that targeted Android, iOS, and Chrome with a number of zero-day exploits were described by Google's Threat Analysis Group (TAG). The analysts emphasised the narrow scope and intense targeting of both initiatives. Both zero-day and n-day exploits were employed by the threat actors who were responsible for the attacks.
The campaign's final payload was a straightforward stager that pings the device's GPS location and enables the installation of an.IPA file (iOS application archive) on the harmed device.
Users of Android devices running Chrome versions earlier than 106 were the primary target of the initial campaign's Android exploit chain. Three exploits, including one 0-day, made up the chain of compromise:
- CVE-2022-3723, a type confusion vulnerability in Chrome, found by Avast in the wild and fixed in October 2022 in version 107.0.5304.87.
- CVE-2022-4135, a Chrome GPU sandbox bypass only affecting Android (0-day at time of exploitation), fixed in November 2022. Sergei Glazunov from Project Zero helped analyze the exploit and wrote a root cause analysis for this bug.
- CVE-2022-38181, a privilege escalation bug fixed by ARM in August 2022. It is unclear if attackers had an exploit for this vulnerability before it was reported to ARM.
Indicators of compromise
- https://cdn.cutlink[.]site/p/uu6ekt
- https://api.cutlink[.]site/api/s/N0NBL8/
- https://api.cutlink[.]site/api/s/3PU970/
- https://imjustarandomsite.3utilities[.]com
- www.sufficeconfigure[.]com - landing page and exploit delivery
- www.anglesyen[.]org - malware C2
- sys.brand.note
- sys.brand.notes
- sys.brand.doc
- /data/local/tmp/dropbox