Infamous Chisel Mobile Malware
Cyber operatives affiliated with the Main Directorate of the General Staff of the Russian Federation Armed Forces, commonly referred to as GRU, have initiated a targeted campaign aimed at Android devices within Ukraine. Their weapon of choice in this offensive is a recently discovered and ominous threatening toolkit dubbed the 'Infamous Chisel.'
This nasty framework affords the hackers backdoor access to the targeted devices via a concealed service within The Onion Router (Tor) network. This service grants the attackers the ability to scan local files, intercept network traffic, and extract sensitive data.
The Ukrainian Security Service (SSU) first sounded the alarm about the threat, alerting the public to the Sandworm hacking group's endeavors to infiltrate military command systems using this malware.
Afterward, both the UK National Cyber Security Center (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) have delved into the intricate technical aspects of the Infamous Chisel. Their reports shed light on its capabilities and furnish invaluable insights to bolster defense measures against this cyber threat.
The Infamous Chisel Boasts a Wide Range of Harmful Capabilities
The Infamous Chisel is compromised of several components designed to establish persistent control over compromised Android devices through the Tor network. Periodically, it collects and transfers victim data from the infected devices.
Upon successfully infiltrating a device, the central component, 'netd,' assumes control and stands ready to perform a set of commands and shell scripts. To ensure lasting persistence, it supplants the legitimate 'netd' Android system binary.
This malware is specifically designed to compromise Android devices and to meticulously scan for information and applications pertaining to the Ukrainian military. All acquired data is then forwarded to the perpetrator's servers.
To prevent the duplication of sent files, a concealed file named '.google.index' employs MD5 hashes to keep tabs on the transmitted data. The system's capacity is capped at 16,384 files, so duplicates could be exfiltrated beyond this threshold.
The Infamous Chisel casts a wide net when it comes to file extensions, targeting an extensive list including .dat, .bak, .xml, .txt, .ovpn, .xml, wa.db, msgstore.db, .pdf, .xlsx, .csv, .zip, telephony.db, .png, .jpg, .jpeg, .kme, database.hik, database.hik-journal, ezvizlog.db, cache4.db, contacts2.db, .ocx, .gz, .rar, .tar, .7zip, .zip, .kmz, locksettings.db, mmssms.db, telephony.db, signal.db, mmssms.db, profile.db, accounts.db, PyroMsg.DB, .exe, .kml. Furthermore, it scans the device's internal memory and any available SD cards, leaving no stone unturned in its quest for data.
Attackers can Use the Infamous Chisel to Obtain Sensitive Data
The Infamous Chisel malware conducts a comprehensive scan within Android's /data/ directory, seeking out applications such as Google Authenticator, OpenVPN Connect, PayPal, Viber, WhatsApp, Signal, Telegram, Gmail, Chrome, Firefox, Brave, Microsoft One Cloud, Android Contacts, and an array of others.
Moreover, this threatening software possesses the ability to collect hardware information and perform scans on the local area network to identify open ports and active hosts. Attackers can gain remote access through SOCKS and an SSH connection, which is rerouted through a randomly generated .ONION domain.
The exfiltration of files and device data occurs at regular intervals, precisely every 86,000 seconds, the equivalent of one day. LAN scanning activities transpire every two days, while the extraction of highly sensitive military data takes place far more frequently, at intervals of 600 seconds (every 10 minutes).
Furthermore, the configuration and execution of Tor services that facilitate remote access are scheduled to occur every 6,000 seconds. To maintain network connectivity, the malware performs checks on the 'geodatatoo(dot)com' domain every 3 minutes.
It's worth noting that the Infamous Chisel malware does not prioritize stealthiness; instead, it appears to be far more interested in swift data exfiltration and quickly moving toward more valuable military networks.