The DevilsTongue Malware is a modular threat written in C and C++. The DevilsTongue Malware possesses several complex obfuscation and persistence capabilities that make the threat more difficult for detection and analysis. For example, DevilTongue's main functionality is contained inside .DLL files that are encrypted on the disk and decrypted only in memory. The persistence mechanism of the malware ensures that the threat's DLL is loaded by the svchost.exe process without leaving any noticeable changes in the functionality of the compromised system.
Once established, DevilsTongue can run in user or kernel mode and can perform a variety of harmful actions. It can collect chosen files, run WMI command, query SQLite databases and the Registry of the system. Furthermore, the malware is capable of collecting credentials from both the Local Security Authority Subsystem Service (LSASS) and a select number of popular Web browsers. It also can access cookies from several browsers including Chrome, Firefox, Safari, Yandex, Opera and more. DevilsTongue is also equipped with dedicated functionality that decrypts and then exfiltrates conversions from the Signal encrypted messaging application.
DevilsTongue Malware Distribution
In the initial stages of its attack chain, DevilsTongue exploits browser vulnerabilities delivered via corrupted URLs spread through messaging services such as WhatsApp. Microsoft, assisted by the human rights outfit Citizen Lab, released fixes for two previously unknown zero-day vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771. Both lead to unlawful Windows Kernel privilege escalation on the system.
Microsoft and Citizen Lab believe that a 'private-sector offensive actor' (PSOA) named Sourgum is behind the DevilsTongue attacks. The identity of the victims reveals that approximately half are located in Palestine, with a significantly smaller number being from Israel, Iran, Spain and the UK. Citizen Lab has determined that Sourgum is Israeli-based and its customers include government agencies from several different countries.