Five Eyes agencies have issued a joint report on the malware used recently by Russian state-sponsored hackers to target Android devices belonging to the Ukrainian military.
The new malware, named Infamous Chisel, is actually a collection of components designed to provide persistent backdoor access to compromised Android devices over the Tor network, and enable the attackers to collect and exfiltrate data.
The campaign has been linked to the threat actor known as Sandstorm, which was previously connected to Russia’s GRU foreign military intelligence agency.
According to the agencies, the Infamous Chisel malware is designed to periodically scan infected Android devices for information and files that could be of interest to the attackers.
Targeted information includes device details, as well as data associated with commercial apps and applications used by the Ukrainian military.
“The searching of specific files and directory paths that relate to military applications and exfiltration of this data reinforces the intention to gain access to these networks,” the report reads.
In addition, the malware scans the local network for information on active hosts, banners and open ports. Capabilities provided by Infamous Chisel also include SSH access to the device, SCP file transfer, and network monitoring and traffic collection.
“The Infamous Chisel components are low to medium sophistication and appear to have been
developed with little regard to defense evasion or concealment of malicious activity,” the report explains. “Although the components lack basic obfuscation or stealth techniques to disguise activity, the actor may have deemed this not necessary, since many Android devices do not have a host-based detection system.”
The joint report was written by the UK’s National Cyber Security Centre (NCSC); the US’s National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI); New Zealand’s National Cyber Security Centre (NCSC-NZ); Canada’s Centre for Cyber Security; and the Australian Signals Directorate (ASD).
The report includes technical details on each Infamous Chisel component, MITRE ATT&CK information, and indicators of compromise (IoCs).
The report does not mention how the malware has been distributed. However, earlier this month, the Security Service of Ukraine (SBU) reported that Russian forces had captured Ukrainian tablets on the battlefield and attempted to use them to spread malware. They also tried to leverage the access provided by the tablets to breach military networks.
The SBU said the attacks, which involved nearly 10 malware samples designed for stealing information, were linked to the Sandworm group. The agency said the attack attempts were blocked.