New Russian Android malware targets Ukraine’s military devices: Report

Share post:

Russia’s Sandworm attack group has created a new toolkit for compromising Android devices, says a report released today by the Five Eyes intelligence co-operative consisting of the intelligence agencies of the U.S., Canada, the U.K., Australia and New Zealand, first using it to target Android devices used by the Ukrainian military.

The malware, which the government researchers dub ‘Infamous Chisel,’ searches for specific files and directory paths that relate to military applications.

The malware provides a network access backdoor via a Tor service and secure shell (SSH). It performs periodic scanning of files and network information of the compromised device for exfiltration. Other capabilities include network monitoring, traffic collection, SSH access, network scanning, and SCP file transfer.

Sandworm — also called Voodoo Bear, Electrum by some researchers — has been linked to the Russian military intelligence’s Main Centre for Special Technologies (GTsST). That organisation has been accused by the U.S. of being behind the 2015 and 2016 attacks against Ukrainian electric providers, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019. According to Mitre, some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.

Creation of the Infamous Chisel toolkit is the latest move in the cyber war between Russia and Ukraine, part of the larger physical war between the two countries.

According to the Five Eyes report, components within Infamous Chisel are “of low to medium sophistication and appear to have been developed with little regard to defense evasion or concealment of malicious activity.”

“Although the components lack basic obfuscation or stealth techniques to disguise activity, the actor may have deemed this not necessary,” the report adds, “since many Android devices do not have a host-based detection system.”

Two interesting techniques are present in Infamous Chisel, the report says:

  • the replacement of the legitimate Android netd executable to maintain persistence.
  • the modification of the authentication function in the components that include an SSH client dubbed dropbear.

These techniques require a good level of C++ knowledge to make the alterations and an awareness of Linux authentication and boot mechanisms, the report says.

“Even with the lack of concealment functions, these components present a serious threat because of the impact of the information they can collect,” the report adds.

The post New Russian Android malware targets Ukraine’s military devices: Report first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Cyber Security Today, Week in Review for week ending Friday May 17, 2024

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, May 17th,...

Cyber Security Today, May 17, 2024 – Malware hiding in Apache Tomcat servers

Malware hiding in Apache Tomcat servers, new backdoors found, and more Welcome to Cyber Security Today. It's Friday, May...

MIT students exploit blockchain vulnerability to steal 25 million dollars

Two MIT students have been implicated in a highly sophisticated cryptocurrency heist, where they reportedly exploited a vulnerability...

Cyber Security Today, May 15, 2024 – Ebury botnet still exploits Linux servers, Microsoft, SAP and Apple issue security updates

The Ebury botnet continues to exploit Linux servers, Microsoft, SAP and Apple issue security updates, and more. Welcome to...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways