Share this article on:
Cyber security and law enforcement agencies from the UK, Australia, New Zealand, the US, and Canada have picked up on a new campaign by a Russian-backed threat actor targeting Android-powered devices in Ukraine.
The UK’s National Cyber Security Centre released a Malware Analysis Report overnight, in conjunction with the Australian Signals Directorate, the US National Security Agency, US
Cybersecurity and Infrastructure Security Agency, US Federal Bureau of Investigation, New Zealand’s National Cyber Security Centre, and the Canadian Centre for Cyber Security.
The Five Eyes agencies are dubbing the new campaign Infamous Chisel, and it consists of a number of components that allow the malware’s operator – very likely the Sandworm group, which has been very active in Ukraine – to connect to and snoop on Android devices. The campaign is aimed at devices in use by the Ukrainian military in particular.
“Infamous Chisel is a collection of components which enable persistent access to an infected Android device over the Tor network, and which periodically collates and exfiltrates victim information from compromised devices,” the NCSC said in its report. “The information exfiltrated is a combination of system device information, commercial application information and applications specific to the Ukrainian military.”
The nine components of the malware, taken as a whole, allow for scanning of infected devices for specific “files of interest”, and of the local network environment. Remote access functionality is included, too, executing via a hidden instance of the TOR browser. File transfer is also possible.
The malware runs on an almost 24-hour cycle, searching for specific files types – such as xml, wa.db, msgstore.db, .pdf, .xlsx, .csv, .zip, telephony.db, .png, .jpg, .jpeg, .kme, and database.hik – in specific directories of an infected device, alongside directories used by “military-specific” applications.
“The Infamous Chisel components are low to medium sophistication and appear to have been developed with little regard to defence evasion or concealment of malicious activity,” the report notes.
“Although the components lack basic obfuscation or stealth techniques to disguise activity, the actor may have deemed this not necessary since many Android devices do not have a host-based detection system.”
According to the NCSC, the malware campaign poses a “serious threat” due to the kind of information it seeks out and extracts.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.