Cybersecurity and intelligence agencies from Australia, Canada, New Zealand, the U.K., and the U.S. on Thursday disclosed details of a mobile malware strain targeting Android devices used by the Ukrainian military.

The malicious software, dubbed Infamous Chisel and attributed to a Russian state-sponsored actor called Sandworm, has capabilities to “enable unauthorized access to compromised devices, scan files, monitor traffic, and periodically steal sensitive information.”

Some aspects of the malware were uncovered by the Security Service of Ukraine (SBU) earlier in August, highlighting unsuccessful attempts on part of the adversary to penetrate Ukrainian military networks and gather valuable intelligence.

It’s said that Russian forces captured tablets used by Ukraine on the battlefield, using them as a foothold to remotely disseminate the malware to other devices by using the Android Debug Bridge (ADB) command-line tool.

Sandworm, also known by the names FROZENBARENTS, Iron Viking, Seashell Blizzard, and Voodoo Bear, refers to the Russian Main Intelligence Directorate’s (GRU) Main Centre for Special Technologies (GTsST).

Active since at least 2014, the hacking crew is best known for its string of disruptive and destructive cyber campaigns using malware such as Industroyer, BlackEnergy, and NotPetya.

In July 2023, Google-owned Mandiant said that the malicious cyber operations of GRU adhere to a playbook that offers tactical and strategic benefits, enabling the threat actors to adapt swiftly to a “fast-paced and highly contested operating environment” and at the same time maximize their speed, scale, and intensity without getting detected.

Infamous Chisel is described as a collection of multiple components that’s designed with the intent to enable remote access and exfiltrate information from Android phones.

Besides scanning the devices for information and files matching a predefined set of file extensions, the malware also contains functionality to periodically scan the local network and offer SSH access.

“Infamous Chisel also provides remote access by configuring and executing TOR with a hidden service which forwards to a modified Dropbear binary providing a SSH connection,” the Five Eyes (FVEY) intelligence alliance said.

A brief description of each of the modules is as follows –

  • netd – Collate and exfiltrate information from the compromised device at set intervals, including from app-specific directories and web browsers
  • td – Provide TOR services
  • blob – Configure Tor services and check network connectivity (executed by netd)
  • tcpdump – Legitimate tcpdump utility with no modifications
  • killer – Terminate the netd process
  • db – Contains several tools to copy files and provide secure shell access to the device via the TOR hidden service using a modified version of Dropbear
  • NDBR – A multi-call binary similar to db that comes in two flavors to be able to run on Arm (ndbr_armv7l) and Intel (ndbr_i686) CPU architectures

Persistence on the device is achieved by replacing the legitimate netd daemon, which is responsible for network configuration on Android, with a rogue version, enabling it to execute commands as the root user.

As far as the exfiltration frequency is concerned, compilation of file and device data takes place every day, while sensitive military information is siphoned every 10 minutes. The local area network is scanned once in two days.

“The Infamous Chisel components are low to medium sophistication and appear to have been developed with little regard to defense evasion or concealment of malicious activity,” the agencies said.

“The searching of specific files and directory paths that relate to military applications and exfiltration of this data reinforces the intention to gain access to these networks. Although the components lack basic obfuscation or stealth techniques to disguise activity, the actor may have deemed this not necessary, since many Android devices do not have a host-based detection system.”


Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

The development comes as the National Cybersecurity Coordination Center of Ukraine (NCSCC) shed light on the phishing endeavors of another Kremlin-backed hacking outfit known as Gamaredon (aka Aqua Blizzard, Shuckworm, or UAC-0010) to siphon classified information.

The government agency said the threat actor, which has repeatedly targeted Ukraine since 2013, is ramping up attacks on military and government entities with the goal of harvesting sensitive data relating to its counteroffensive operations against Russian troops.

“Gamaredon uses stolen legitimate documents of compromised organizations to infect victims,” NCSCC said. “Gamaredon uses stolen legitimate documents of compromised organizations to infect victims.”

The group has a track record of abusing Telegram and Telegraph as dead drop resolvers to retrieve information pertaining to its command-and-control (C2) infrastructure, while leveraging a “well-rounded” arsenal of malware tools to meet its strategic goals.

This comprises GammaDrop, GammaLoad, GammaSteel, LakeFlash, and Pterodo, the last of which is a multipurpose tool honed for espionage and data exfiltration.

“Its versatility in deploying various modules makes it a potent threat, capable of infiltrating and compromising targeted systems with precision,” NCSCC said.

“While Gamaredon may not be the most technically advanced threat group targeting Ukraine, their tactics exhibit a calculated evolution. The growing frequency of attacks suggests an expansion in their operational capacity and resources.”