Sandworm, the hacking team believed to be unit 74455 of the Russian GRU (Glavnoye Razvedyvatel’noye Upravleniye) have been identified as using a set of exploits against Android devices used by the Ukrainian military.
A joint report issued by the NCSC, the NSA, CISA, the FBI, NCSC-NZ, CSE and ASD on the 31st August provides an insight in to these tools and their behaviour.
Named Infamous Chisel, the tools consist of a collection of components targeting Android devices:
Infamous Chisel is a collection of components targeting Android devices.
- It performs periodic scanning of files and network information for exfiltration.
- System and application configuration files are exfiltrated from an infected device.
- Infamous Chisel provides network backdoor access via a Tor hidden service and Secure Shell (SSH).
- Other capabilities include network monitoring, traffic collection, SSH access, network scanning and SCP file transfer
Malware components
The malware consists of nine different files, each with a specific function:
- Killer – A process manipulation utility for netd
- blob – A decompressor tool and launcher for the Tor process
- ndbr_arm71 – A multi-call binary with multiple capabilities
- dropbear, dropbearkey, ssh, scp, nmap, dbclient, watchdog, rmflag, mkflag
- db – A multi-call binary with multiple capabilities
- dropbear, dropbearkey, ssh, scp, nmap, dbclient, watchdog, rmflag, mkflag
- db.bz2 – A bzip file containing the db file
- td – A complied version of Tor
- td.bz2 – A bzip file containing the td file
- tcpdump – The tcpdump utility used by the nmap tool
Infection activities
Once on a device, the installed malicious version of netd replaces the legitimate netd on the target device and gains persistence whilst also obtaining root permissions
killer terminates the legitimate netd process before the malicious version is used
The blob utility decompresses the utilities contained within the bz2 files. In some instances mDNSResponder is used for DNS poisoning
netd and tcpdump is used for reconnaissance of the device itself and the network it is connected to. netd obtains data relating to local files, GPS data, system info and IP configuration
netd is used to generate a series of tmp files to store harvested data
scp is used to exfiltrate gathered data alongside td which opens a channel through Tor. SSH is used to also exfiltrate data
File exfiltration
An infected device is scanned every 600 seconds (10 minutes) for new data which is immediately exfiltrated
the /data/ directory of the victim device is scanned and the following sub- directories are targeted:
- com.google.android.apps.authenticator2
- net.openvpn.openvpn
- free.vpn.unblock.proxy.vpnmaster
- com.UCMobile.intl
- com.brave.browser
- com.opera.browser
- com.hisense.odinbrowser
- com.dzura
- com.google.android.apps.docs
- com.sec.android.app.myfiles
- com.microsoft.skydrive
- com.google.android.apps.walletnfcrel
- com.paypal.android.p2pmobile
- com.binance.dev
- com.coinbase.android
- com.wallet.crypto.trustapp
- com.viber.voip
- com.dropbox.android
- com.android.providers.telephony
- com.android.providers.contacts
- com.cxinventor.file.explorer
- com.elinke.fileserver
- org.mozilla.firefox
- com.whatsapp
- org.thoughtcrime.securesms
- org.telegram.messenger
- org.telegram.messenger.web
- com.discord
- com.hikvisionsystems.app
- com.hikvision.hikconnect
- com.skype.raider
- com.google.android.gm
- com.android.chrome
- org.chromium.webview_shell
- keystore
Every file located within any of these directories is exfiltrated, regardless of file type.
In addition to the above /data/ directories, the following directoriesare also scanned for data:
/sdcard
- /storage/emulated/0/
- /data/media
- /data/data/de.blinkt.openvpn
- /data/data/org.thoughtcrime.securesms
- /data/data/net.openvpn.openvpn
- /data/data/org.telegram.messenger
- /data/data/vpn.fastvpn.freevpn
- /data/data/eu.thedarken.wldonate
- /data/data/com.android.providers.contacts
- /data/data/com.android.providers.telephony
- /data/data/com.google.android.gm
- /data/system/users/0/