DEEPDATA Malware

A threat actor operating under the alias BrazenBamboo has leveraged an unpatched vulnerability in Fortinet's FortiClient for Windows to harvest VPN credentials. This activity is part of a sophisticated modular framework referred to as DEEPDATA.

Researchers analyzing this campaign uncovered the exploitation of the zero-day credential disclosure vulnerability in July 2024. They have attributed the development of DEEPDATA, DEEPPOST, and LightSpy to BrazenBamboo.

What is the DEEPDATA Malware

DEEPDATA is a modular post-exploitation tool designed for the Windows operating system, capable of collecting extensive information from compromised devices. It was initially brought to attention when cybersecurity specialists analyzed the Windows-based surveillance framework, linking it to the China-associated APT41 threat actor. DEEPDATA has been used to extract data from communication platforms like WhatsApp, Telegram, Signal, WeChat, LINE, QQ, and Skype, as well as Microsoft Outlook, DingDing, Feishu, KeePass, application credentials, browser data, Wi-Fi networks, and installed software.

At the heart of DEEPDATA is a dynamic-link library (DLL) loader known as data.dll, which is designed to decrypt and deploy 12 distinct plugins via an orchestrator module named frame.dll. Among these plugins is a newly identified FortiClient DLL, capable of harvesting VPN credentials.

This plugin takes advantage of an unpatched zero-day vulnerability in the Fortinet VPN client for Windows. By exploiting this flaw, it retrieves user credentials directly from the memory of the client's process.

Other Harmful Threats Part of the BrazenBamboo Arsenal

Since creating the LightSpy spyware implant in 2022, the attacker has consistently focused on strategically targeting communication platforms, prioritizing stealth and sustained access. The Windows version of LightSpy differs from other OS variants in its architecture. It is deployed through an installer that loads a library to execute shellcode in memory. This shellcode then downloads and decodes the orchestrator component from the command-and-control server. The orchestrator is activated by a loader called BH_A006, which has been previously associated with the suspected Chinese threat group 'Space Pirates,' known for targeting Russian organizations.

Another tool in BrazenBamboo's malware arsenal is DEEPPOST, a post-exploitation data exfiltration tool capable of sending files to a remote endpoint. Together, DEEPDATA and DEEPPOST significantly enhance the threat actor's cyber espionage capabilities, building on the earlier work with LightSpy, which now targets macOS, iOS, and Windows.

There are notable code and infrastructure similarities between LightSpy and DEEPDATA, indicating that both malware families are likely developed by the same private enterprise, potentially contracted to create hacking tools for governmental use.