https://therecord.media/ukraine-battlefield-tablets-malware-sandworm-gru-five-eyes-report
Western intelligence and cybersecurity agencies published a report on
Thursday highlighting a collection of hacking tools being used by Russia's military intelligence service against Android devices operated by the
Ukrainian Armed Forces.
The report, published by Britain's National Cyber Security Centre (NCSC) - alongside agencies in the United States, Canada, Australia and New Zealand,
who form the Five Eyes intelligence alliance - names the malware "Infamous Chisel."
It details how the malware enables the GRU to acquire unauthorized access
to compromised devices before scanning files, monitoring traffic and periodically stealing sensitive information.
"Infamous Chisel is a collection of components which enable persistent
access to an infected Android device over the Tor network, and which periodically collates and exfiltrates victim information from compromised devices," explains the report, referencing the technology that anonymizes internet traffic.
The components making up the malware "are low to medium sophistication and appear to have been developed with little regard to defence evasion or concealment of malicious activity," according to the new report.
They lack "basic obfuscation or stealth techniques to disguise activity" according to the NCSC, although the agency says that the hackers behind the malware may have assumed this was unnecessary as many Android devices don't have a host-based detection system.
The report does credit the malware for two interesting techniques,
including how it maintains persistence by replacing the legitimate netd
system binary with a malicious version, and providing the hackers with
remote access to the devices "by configuring and executing Tor with a
hidden service which forwards to a modified Dropbear binary providing a SSH connection." Dropbear is legitimate open source Unix-based software for
Secure Shell (SSH) servers, which encrypt network traffic.
"These techniques require a good level of C++ knowledge to make the
alterations and an awareness of Linux authentication and boot mechanisms," states the report.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)