Infamous Chisel Malware Targets Ukraine

The UK's National Cyber Security Centre (NCSC) and its allies within the Anglophone Five Eyes intelligence alliance have officially attributed a series of cyber attacks against Ukrainian military targets to the Sandworm advanced persistent threat (APT) group. This confirmation supports earlier claims by the Security Service of Ukraine (SBU), which initially exposed the unique Infamous Chisel malware family used in the attacks in August.

Sandworm, an APT group linked to Russia's military intelligence agency, the GRU, utilized the Infamous Chisel malware to target Android mobile devices owned by Ukraine's armed forces. At its core, this malware, as identified by the Ukrainians who have pinpointed 10 distinct components, was designed to clandestinely monitor compromised devices.

NCSC's operations director, Paul Chichester, commented, "The revelation of this malicious campaign targeting Ukrainian military assets highlights how Russia's illicit conflict in Ukraine is extending into cyberspace. Our latest report provides expert insights into the functionality of this new malware and exemplifies our collaborative efforts with allies in support of Ukraine's robust defense. The UK remains committed to exposing Russian cyber aggression and will persist in doing so."

The SBU, in conjunction with the Armed Forces of Ukraine, reported successfully thwarting Russian attempts to access sensitive information. This information was believed to encompass data on troop deployments, movements, and technical provisions.

According to Illia Vitiuk, SBU head of cyber security, "Since the outset of the full-scale conflict, we have been defending against cyber attacks orchestrated by Russian intelligence services, aimed at compromising our military command system and more. The operation we have conducted represents our cyber defense of our forces."

Infamous Chisel's Campaign in More Detail

The SSU's cyber investigators discovered that the GRU obtained tablets captured from Ukrainian forces on the battlefield. These tablets were then used to exploit preconfigured access, allowing the malicious distribution of files to other Android devices during a "lengthy and meticulous" preparation phase.

Infamous Chisel's various components collaborated to maintain persistent access to infected Android devices via the Tor network. This was achieved by configuring and executing Tor with a hidden service that connected to a modified Dropbear binary, providing a secure socket shell (SSH) connection. Periodically, the malware would gather and exfiltrate victim data, scanning for specific file extensions. Additionally, it monitored local networks, identifying active hosts and open ports to collect various data points.

The NCSC noted that the malware's various components exhibited low to medium sophistication, lacking robust defense evasion or concealment features. This might be because many Android devices lack host-based detection systems.

However, the NCSC's report highlighted two noteworthy techniques within Infamous Chisel. Firstly, one component replaced a legitimate executable, netd, to ensure persistence. Secondly, modifications to the authentication function in components containing Dropbear were particularly notable. Both of these techniques require a substantial level of C++ knowledge and an understanding of Linux authentication and boot mechanisms, as per the NCSC's assessment.