Description

On August 31, 2023, cybersecurity and intelligence agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States jointly revealed information about a mobile malware strain that has been targeting Android devices used by the Ukrainian military. This malicious software, known as Infamous Chisel, is attributed to a Russian state-sponsored actor called Sandworm. Infamous Chisel has the capability to gain unauthorized access to compromised devices, scan files, monitor network traffic, and periodically steal sensitive information. Earlier in August, the Security Service of Ukraine had already uncovered some aspects of this malware, highlighting the adversary's unsuccessful attempts to infiltrate Ukrainian military networks and gather valuable intelligence. It was discovered that Russian forces had seized tablets used by Ukraine on the battlefield, using them as a foothold to remotely disseminate the malware to other devices via the Android Debug Bridge command-line tool. Sandworm, also referred to as FROZENBARENTS, Iron Viking, Seashell Blizzard, and Voodoo Bear, is associated with the Russian Main Intelligence Directorate's (GRU) Main Centre for Special Technologies (GTsST). Sandworm has been active since at least 2014 and is notorious for its disruptive and destructive cyber campaigns, utilizing malware such as Industroyer, BlackEnergy, and NotPetya. In July 2023, Mandiant, a company owned by Google, reported that the GRU's malicious cyber operations follow a playbook that provides tactical and strategic advantages. This allows threat actors to adapt quickly to a fast-paced and highly contested operating environment while maximizing their speed, scale, and intensity without being detected. Infamous Chisel is described as a multifaceted collection of components designed to enable remote access and data exfiltration from Android phones. Apart from scanning devices for information and files matching specific file extensions, the malware also has the capability to periodically scan the local network and offer SSH access. Infamous Chisel provides remote access by configuring and executing TOR with a hidden service that forwards to a modified Dropbear binary, offering an SSH connection, as reported by the Five Eyes (FVEY) intelligence alliance. Persistence on the device is achieved by replacing the legitimate netd daemon, responsible for network configuration on Android, with a rogue version, granting it the ability to execute commands as the root user. In terms of data exfiltration frequency, file and device data are compiled daily, while sensitive military information is extracted every 10 minutes. Scanning of the local area network occurs once every two days. The components of Infamous Chisel are characterized as having low to medium sophistication and appear to have been developed with little consideration for defense evasion or concealing malicious activity, according to the agencies involved. The targeting of specific files and directory paths related to military applications and the exfiltration of this data underscores the intention to gain access to these networks. Although the components lack basic obfuscation or stealth techniques to conceal their activity, the threat actor may have deemed this unnecessary, given that many Android devices lack host-based detection systems. This development coincides with the National Cybersecurity Coordination Center of Ukraine (NCSCC) shedding light on the phishing efforts of another Kremlin-backed hacking group known as Gamaredon (also known as Aqua Blizzard, Shuckworm, or UAC-0010). Gamaredon has been targeting Ukraine repeatedly since 2013, intensifying its attacks on military and government entities with the aim of harvesting sensitive data related to counteroffensive operations against Russian troops. NCSCC revealed that Gamaredon employs stolen legitimate documents from compromised organizations to infect its victims.