Cybersecurity and intelligence agencies from Australia, Canada, New Zealand, the U.K., and the U.S. on Thursday disclosed details of a mobile malware strain targeting Android devices used by the Ukrainian military.
The malicious software, dubbed Infamous Chisel and attributed to a Russian state-sponsored actor called Sandworm, has capabilities to “enable unauthorized access to compromised devices, scan files, monitor traffic, and periodically steal sensitive information.”
Some aspects of the malware were uncovered by the Security Service of Ukraine (SBU) earlier in August, highlighting unsuccessful attempts on part of adversaries to penetrate Ukrainian military networks and gather valuable intelligence.
Sandworm, also known by the names FROZENBARENTS, Iron Viking, Seashell Blizzard, and Voodoo Bear, refers to the Russian Main Intelligence Directorate’s (GRU) Main Centre for Special Technologies (GTsST).
Active since at least 2014, the hacking crew is best known for its string of disruptive and destructive cyber campaigns using malware such as Industroyer, BlackEnergy, and NotPetya.
In July 2023, Google-owned Mandiant said that the malicious cyber operations of GRU adhere to a playbook that offers tactical and strategic benefits, enabling the threat actors to adapt swiftly to a “fast-paced and highly contested operating environment” and at the same time maximize the speed, scale, and intensity without getting detected.
Infamous Chisel is described as a collection of multiple components that’s designed with the intent to enable remote access and exfiltrate information from Android phones.
Besides scanning the devices for information and files matching a predefined set of file extensions, the malware also contains functionality to periodically scan the local network and offer SSH access.
“Infamous Chisel also provides remote access by configuring and executing TOR with a hidden service which forwards to a modified Dropbear binary providing a SSH connection,” the Five Eyes (FVEY) intelligence alliance said.
A brief description of each of the modules is as follows –
- netd – Collate and exfiltrate information from the compromised device at set intervals, including from app-specific directories and web browsers
- td – Provide TOR services
- blob – Configure Tor services and check network connectivity (executed by netd)
- tcpdump – Legitimate tcpdump utility with no modifications
- killer – Terminate thee netd process
- db – Contains several tools to copy files and provide secure shell access to the device via the TOR hidden service using a modified version of Dropbear
- NDBR – A multi-call binary similar to db that comes in two flavors to be able to run on Arm (ndbr_armv7l) and Intel (ndbr_i686) CPU architectures
Persistence on the device is achieved by replacing the legitimate netd daemon, which is responsible for network configuration on Android, with a rogue version, enabling it to execute commands as the root user.
“The Infamous Chisel components are low to medium sophistication and appear to have been developed with little regard to defense evasion or concealment of malicious activity,” the agencies said.
“The searching of specific files and directory paths that relate to military applications and exfiltration of this data reinforces the intention to gain access to these networks. Although the components lack basic obfuscation or stealth techniques to disguise activity, the actor may have deemed this not necessary, since many Android devices do not have a host-based detection system.”
Detect, Respond, Protect: ITDR and SSPM for Complete SaaS Security
Discover how Identity Threat Detection & Response (ITDR) identifies and mitigates threats with the help of SSPM. Learn how to secure your corporate SaaS applications and protect your data, even after a breach.
Supercharge Your Skills
The development comes as the National Cybersecurity Coordination Center of Ukraine (NCSCC) shed light on the phishing endeavors of another Kremlin-backed hacking outfit known as Gamaredon (aka Aqua Blizzard, Shuckworm, or UAC-0010) to siphon classified information.
The government agency said the threat actor, which has repeatedly targeted Ukraine since 2013, is ramping up attacks on military and government entities with the goal of harvesting sensitive data relating to its counteroffensive operations against Russian troops.
“Gamaredon uses stolen legitimate documents of compromised organizations to infect victims,” NCSCC said. “Gamaredon uses stolen legitimate documents of compromised organizations to infect victims.”
The group has a track record of abusing Telegram and Telegraph as dead drop resolvers to retrieve information pertaining to its command-and-control (C2) infrastructure, while leveraging a “well-rounded” arsenal of malware tools to meet its strategic goals.
This comprises GammaDrop, GammaLoad, GammaSteel, LakeFlash, and Pterodo, the last of which is a multipurpose tool honed for espionage and data exfiltration.
“Its versatility in deploying various modules makes it a potent threat, capable of infiltrating and compromising targeted systems with precision,” NCSCC said.
“While Gamaredon may not be the most technically advanced threat group targeting Ukraine, their tactics exhibit a calculated evolution. The growing frequency of attacks suggests an expansion in their operational capacity and resources.”