Russia’s Sandworm attack group has created a new toolkit for compromising Android devices, says a report released today by the Five Eyes intelligence co-operative consisting of the intelligence agencies of the U.S., Canada, the U.K., Australia and New Zealand, first using it to target Android devices used by the Ukrainian military.
The malware, which the government researchers dub ‘Infamous Chisel,’ searches for specific files and directory paths that relate to military applications.
The malware provides a network access backdoor via a Tor service and secure shell (SSH). It performs periodic scanning of files and network information of the compromised device for exfiltration. Other capabilities include network monitoring, traffic collection, SSH access, network scanning, and SCP file transfer.
Sandworm — also called Voodoo Bear, Electrum by some researchers — has been linked to the Russian military intelligence’s Main Centre for Special Technologies (GTsST). That organisation has been accused by the U.S. of being behind the 2015 and 2016 attacks against Ukrainian electric providers, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019. According to Mitre, some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.
Creation of the Infamous Chisel toolkit is the latest move in the cyber war between Russia and Ukraine, part of the larger physical war between the two countries.
According to the Five Eyes report, components within Infamous Chisel are “of low to medium sophistication and appear to have been developed with little regard to defense evasion or concealment of malicious activity.”
“Although the components lack basic obfuscation or stealth techniques to disguise activity, the actor may have deemed this not necessary,” the report adds, “since many Android devices do not have a host-based detection system.”
Two interesting techniques are present in Infamous Chisel, the report says:
- the replacement of the legitimate Android
netdexecutable to maintain persistence.
- the modification of the authentication function in the components that include an SSH client dubbed dropbear.
These techniques require a good level of C++ knowledge to make the alterations and an awareness of Linux authentication and boot mechanisms, the report says.
“Even with the lack of concealment functions, these components present a serious threat because of the impact of the information they can collect,” the report adds.