Scroll Top

Russian state-backed ‘Infamous Chisel’ Android malware targets Ukrainian military


In a collaborative effort, cybersecurity and intelligence agencies from Australia, Canada, New Zealand, the U.K., and the U.S. have come forward with crucial information regarding a menacing mobile malware known as Infamous Chisel. This malware, with clear ties to a Russian state-sponsored actor named Sandworm, has been actively targeting Android devices utilized by the Ukrainian military.

Infamous Chisel, a highly sophisticated and concerning malware strain, possesses a formidable array of capabilities. These include the ability to gain unauthorized access to compromised devices, scan files, monitor network traffic, and periodically steal sensitive information.

The Security Service of Ukraine (SBU) unearthed certain aspects of this malicious software in August. These findings underscored the adversary’s relentless attempts to infiltrate Ukrainian military networks and acquire valuable intelligence.

Notably, it has come to light that Russian forces obtained tablets used by Ukrainian troops on the battlefield. They then leveraged these devices as a foothold to remotely disseminate the malware to other devices, employing the Android Debug Bridge (ADB) command-line tool.

The entity known as Sandworm, which also goes by aliases like FROZENBARENTS, Iron Viking, Seashell Blizzard, and Voodoo Bear, is associated with the Russian Main Intelligence Directorate’s (GRU) Main Centre for Special Technologies (GTsST). With a history dating back to at least 2014, Sandworm is infamous for orchestrating a series of disruptive and destructive cyber campaigns. Their arsenal includes infamous malware strains like Industroyer, BlackEnergy, and NotPetya.

In July 2023, Mandiant, a subsidiary of Google, unveiled insights into the modus operandi of GRU’s malicious cyber operations. These operations follow a playbook that offers tactical and strategic advantages, allowing threat actors to swiftly adapt to a fast-paced and highly contested operating environment while maximizing their speed, scale, and intensity without detection. Infamous Chisel emerges as a multifaceted collection of components designed to facilitate remote access and the exfiltration of information from Android devices.

Among its capabilities, Infamous Chisel scans devices for information and files matching predefined file extensions. Moreover, the malware possesses functionality for periodic network scanning and offers SSH access.

One notable feature is its ability to provide remote access by configuring and executing TOR with a hidden service. This, in turn, forwards to a modified Dropbear binary, granting SSH connectivity.

A breakdown of the modules within Infamous Chisel reveals its extensive functionality:

  1. netd – Compiles and exfiltrates information from the compromised device at regular intervals, including data from app-specific directories and web browsers.
  2. td – Provides TOR services.
  3. blob – Configures Tor services and verifies network connectivity (executed by netd).
  4. tcpdump – Utilizes a legitimate tcpdump utility without any alterations.
  5. killer – Terminates the netd process.
  6. db – Contains several tools for copying files and offering secure shell access through the TOR hidden service using a modified Dropbear.
  7. NDBR – A multi-call binary designed for both Arm (ndbr_armv7l) and Intel (ndbr_i686) CPU architectures.

Infamous Chisel establishes persistence on the compromised device by replacing the legitimate netd daemon, responsible for network configuration on Android, with a rogue version. This rogue daemon enables the execution of commands as the root user.

Regarding data exfiltration, the malware compiles file and device data daily, with the theft of sensitive military information occurring every ten minutes. Network scanning within the local area is conducted once every two days.

Despite its robust capabilities, the components of Infamous Chisel display low to medium sophistication. These components seem to have been developed with minimal consideration for evading detection or concealing malicious activity. The malware actor may have foregone these measures, given that many Android devices lack host-based detection systems.

This development coincides with revelations from the National Cybersecurity Coordination Center of Ukraine (NCSCC) regarding the activities of another Kremlin-backed hacking group known as Gamaredon. This group has been relentlessly targeting Ukraine since 2013 and is intensifying its attacks on military and government entities. Gamaredon is primarily focused on harvesting sensitive data pertaining to Ukraine’s counteroffensive operations against Russian forces.

Gamaredon employs a range of tactics, including the use of stolen legitimate documents to infect victims. The group leverages Telegram and Telegraph as dead drop resolvers to retrieve information related to its command-and-control (C2) infrastructure. In addition to these tactics, Gamaredon wields a diverse arsenal of malware tools, including GammaDrop, GammaLoad, GammaSteel, LakeFlash, and Pterodo. Notably, Pterodo is a versatile tool tailored for espionage and data exfiltration.

While Gamaredon may not be the most technically advanced threat group, its tactics demonstrate calculated evolution. The increasing frequency of attacks suggests expanded operational capacity and resources, making it a formidable and persistent threat to Ukraine’s cybersecurity landscape.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.