Russia’s military intelligence unit has been targeting Ukrainian Android devices with “Infamous Chisel,” the tracking name for new malware that’s designed to backdoor devices and steal critical information, Western intelligence agencies said on Thursday.
“Infamous Chisel is a collection of components which enable persistent access to an infected Android device over the Tor network, and which periodically collates and exfiltrates victim information from compromised devices,” intelligence officials from the UK, US, Canada, Australia, and New Zealand wrote. “The information exfiltrated is a combination of system device information, commercial application information and applications specific to the Ukrainian military.”
A “serious threat”
Ukraine’s security service first called out the malware earlier this month. Ukrainian officials said then that Ukrainian personnel had “prevented Russia’s intelligence services from gaining access to sensitive information, including the activity of the Armed Forces, deployment of the Defense Forces, their technical provision, etc.”
Infamous Chisel gains persistence by replacing the legitimate system component known as
netd with a malicious version. Besides allowing Infamous Chisel to run each time a device is restarted, the malicious
netd is also the main engine for the malware. It uses shell scripts and commands to collate and collect device information and also searches directories for files that have a predefined set of extensions. Depending on where on the infected device a collected file is located,
netd sends it to Russian servers either immediately or once a day.
When exfiltrating files of interest, Infamous Chisel uses the TLS protocol and a hard-coded IP and port. Use of the local IP address is likely a mechanism to relay the network traffic over a VPN or other secure channel configured on the infected device. This would allow the exfiltration traffic to blend in with expected encrypted network traffic. In the event a connection to the local IP and port fails, the malware falls back to a hard-coded domain that’s resolved using a request to dns.google.
Infamous Chisel also installs a version of the Dropbear SSH client that can be used to remotely access a device. The version installed has authentication mechanisms that have been modified from the original version to change the way users log in to an SSH session.
In Thursday’s write-up, officials wrote:
The Infamous Chisel components are low to medium sophistication and appear to have been developed with little regard to defence evasion or concealment of malicious activity.
The searching of specific files and directory paths that relate to military applications and exfiltration of this data reinforces the intention to gain access to these networks. Although the components lack basic obfuscation or stealth techniques to disguise activity, the actor may have deemed this not necessary, since many Android devices do not have a host-based detection system. Two interesting techniques are present in Infamous Chisel:
- the replacement of the legitimate <code>netd</code> executable to maintain persistence
- the modification of the authentication function in the components that include dropbear
These techniques require a good level of C++ knowledge to make the alterations and an awareness of Linux authentication and boot mechanisms.
Even with the lack of concealment functions, these components present a serious threat because of the impact of the information they can collect.
The report didn’t say how the malware gets installed. In the advisory Ukraine’s security service issued earlier this month, officials said that Russian personnel had “captured Ukrainian tablets on the battlefield, pursuing the aim to spread malware and abuse available access to penetrate the system.” It’s unclear if this was the vector.
Infamous Chisel, the report said, was created by a threat actor tracked as Sandworm. Sandworm is among the most skilled and cutthroat hacking groups in the world, and it has been behind some of the most destructive attacks in history. The group has been definitively linked to the NotPetya wiper attacks of 2017, a global outbreak that a White House assessment said caused $10 billion in damages, making it the most costly hack in history. Sandworm has also been definitively tied to hacks on Ukraine’s power grid that caused widespread outages during the coldest months of 2016 and again in 2017.