Discover more from Cyber Oracle
Russian State-Sponsored Hackers Target Ukrainian Military with Infamous Chisel Android Malware
Plus, SapphireStealer: Open-Source .NET-Based Information Stealer Malware Fuels Cybercrime Ecosystem
Five Eyes Intelligence Alliance Reveals Details of Sandworm's Mobile Malware Campaign
Cybersecurity and intelligence agencies from the Five Eyes alliance, comprising Australia, Canada, New Zealand, the U.K., and the U.S., have disclosed critical information about a sophisticated mobile malware strain called "Infamous Chisel." This malware, attributed to the Russian state-sponsored hacking group Sandworm, was used to target Android devices employed by the Ukrainian military.
Infamous Chisel and Sandworm: Infamous Chisel is a multifaceted malware strain designed to enable unauthorized access to compromised Android devices, scan files, monitor network traffic, and steal sensitive information. It has been attributed to the notorious Russian state-sponsored hacking group Sandworm, also known as FROZENBARENTS, Iron Viking, Seashell Blizzard, and Voodoo Bear.
Attack Vector: Russian forces reportedly captured Ukrainian military tablets on the battlefield and used them as a foothold to remotely disseminate the malware to other devices using the Android Debug Bridge (ADB) command-line tool.
Malicious Capabilities: Infamous Chisel comprises various components, allowing it to scan for specific file extensions, provide SSH access, and establish remote access through TOR. The malware replaces the legitimate netd daemon on Android devices to achieve persistence and execute commands with root privileges.
Stealing Sensitive Data: The malware's exfiltration frequency is notable, with device data being collected daily and sensitive military information siphoned every 10 minutes. Additionally, it periodically scans the local network for potential targets.
Lack of Sophistication: Interestingly, the Infamous Chisel components exhibit low to medium sophistication and minimal defense evasion techniques. The malware appears to have been developed with little concern for concealing malicious activities, likely due to the absence of host-based detection systems on many Android devices.
The Five Eyes intelligence alliance's disclosure sheds light on a concerning cyber threat to Ukrainian military operations. The Infamous Chisel Android malware, attributed to Sandworm, represents another example of Russia's state-sponsored hacking capabilities, highlighting the need for heightened cybersecurity measures and international cooperation to counter such threats.
Multiple Entities Leverage SapphireStealer to Create Custom Variants, Posing Threats to Organizations and Individuals
The emergence of an open-source information stealer malware named SapphireStealer has given rise to a thriving cybercrime ecosystem. Various threat actors, both financially motivated and nation-state entities, are using this malware to enhance their capabilities and create bespoke variants for malicious activities. Cisco Talos researcher Edmund Brumaghin has highlighted the risks associated with such malware, emphasizing the potential consequences of data theft, espionage, and ransomware attacks.
Information-Stealing Malware: SapphireStealer is a .NET-based information stealer malware, similar to others found on the dark web. It is designed to collect host information, browser data, files, screenshots, and exfiltrate this data as a ZIP file via Simple Mail Transfer Protocol (SMTP).
Open-Source Nature: In late December 2022, the source code of SapphireStealer was released for free, allowing malicious actors to experiment with it and make it more difficult to detect. This has led to multiple variants of the malware emerging in the wild, with threat actors continually improving its efficiency and effectiveness.
Flexible Data Exfiltration: Those using SapphireStealer have introduced flexible data exfiltration methods, such as leveraging Discord webhooks or the Telegram API.
FUD-Loader: The malware author also released a .NET malware downloader named FUD-Loader. This downloader enables the retrieval of additional binary payloads from attacker-controlled distribution servers. Talos has detected FUD-Loader being used to deliver remote administration tools like DCRat, njRAT, DarkComet, and Agent Tesla.
Growing Threat Landscape: The disclosure of SapphireStealer follows closely on the heels of another stealer malware called Agniane Stealer, which is capable of stealing various credentials, system information, browser session details, cryptocurrency data, and more. Agniane Stealer is available for sale on dark web forums and Telegram channels for a monthly fee.
Cybercrime-as-a-Service (CaaS) Model: These information-stealing malware, including SapphireStealer and Agniane Stealer, exemplify the evolution of the cybercrime-as-a-service model. They provide threat actors with the means to monetize stolen data and engage in a wide range of malicious cyber activities.
The proliferation of SapphireStealer and similar malware poses a significant threat to organizations and individuals, highlighting the need for robust cybersecurity measures and increased vigilance in the face of a dynamic and evolving cyber threat landscape.
Chai Research - Site Reliability Engineer (ML Ops) - Palo Alto, California, United States · On-site
Coupang - Staff Machine Learning Engineer - Mountain View, USA · On-site
Coinbase - Senior Software Engineer, Backend -Consumer - Fully Remote
Raytheon - Senior C++/Python Software Engineer - Aurora, CO
SpaceX - Summer 2024 Software Engineering Internship/Co-op - Bastrop, TX; Brownsville, TX; Cape Canaveral, FL; Hawthorne (Los Angeles), CA; Irvine, CA; McGregor (Waco), TX; and Redmond (Seattle), WA
Johns Hopkins University Applied Physics Laboratory - 2024 Internship - Software Developer - Tactical System Prototyping and Deployment - Laurel, MD
Garmin - Software Engineer Intern - Web Development - Middlebury, CT
Verizon - AI/ML Engineering Summer 2024 Internship - Irving, TX · Hybrid
Thanks for reading Cyber Oracle! Subscribe for free to receive new posts and support my work.