Read more: Boosty | Sponsr | TG

The components of Infamous Chisel include:

• netd: This component is used to perform automated
device information collection and exfiltration. It also
searches multiple directories for files matching a
predefined set of extensions which are then exfiltrated.
• killer: This component kills the malicious netd process.
• blob: This component is executed by netd and is
responsible for configuring and executing the Tor utility
td.
• td: This utility is Tor with no obvious modifications.
• tcpdump: This utility is tcpdump with no obvious
modifications.
• ndbr_armv7l and ndbr_i686: These utilities are multi-
call containing: dropbear, dropbearkey, ssh, scp, nmap,
dbclient, watchdog, rmflag, mkflag.
• db: This utility is multi-call containing: dropbear,
dropbearkey, ssh, scp, nmap, dbclient, watchdog,
rmflag, mkflag.
Abstract – This document presents an analysis of the "Infamous III. NETWORK AND OTHER FEATURES
Chisel" malware, a sophisticated cyber threat attributed to the
Infamous Chisel is designed to persist on the system by
Sandworm group. The analysis delves into various aspects of the
malware, including its capabilities, components, and the replacing the legitimate netd system binary at the path
implications of its deployment against specific targets, notably /system/bin/netd. When the malicious netd is executed, it will
Android devices. check if init is the parent process which executed it. This parent
process is responsible for creating the processes listed in the
By dissecting the malware's components and tactics, the document script init.rc. The malicious replacement netd when executed in
sheds light on the sophisticated nature of cyber threats and their this way will fork and execute the legitimate process backed up
potential to compromise sensitive information and disrupt at the path /system/bin/netd_ passing through the command line
operations. The findings underscore the critical need for vigilance parameters. This retains the normal functionality of netd, while
and proactive defense measures in the face of such advanced threats. allowing the malicious netd to execute as root.
For cybersecurity professionals and other specialists across various The netd component of Infamous Chisel provides the bulk of
sectors, this analysis serves as a valuable resource for understanding the custom functionality which the actor deploys. The main
the mechanics and implications of advanced malware threats like purpose of netd is to collate and exfiltrate information from the
Infamous Chisel. The document's insights can inform the compromised device at set intervals. It uses a combination of
development of more effective defense strategies and technologies, shell scripts and commands to collect device information. It also
enhancing the security posture of organizations and protecting searches multiple directories to which files matching a
against the ever-evolving landscape of cyber threats. predefined set of extensions are exfiltrated.

I. INTRODUCTION Infamous Chisel has several other capabilities:

The Chisel malware targets Android devices, enabling • Network Monitoring and Traffic Collection:
remote access and exfiltrating information from these devices. Infamous Chisel can monitor network activity and
Sandworm has used this malware in a campaign targeting collect network traffic data. This allows it to gather
Android devices used by the military sector. The malware is a information about the network environment and
collection of components that enable persistent access to an potentially capture sensitive data transmitted over the
infected Android device over the Tor network and periodically network
collates and exfiltrates victim information from compromised
• SSH Access: Infamous Chisel can establish SSH
devices. The information exfiltrated includes system device
connections, which can be used for remote command
information, commercial application information, and
execution and data transfer
applications specific to the military sector.
• Network Scanning: The malware can scan the local
II. COMPONENTS OF INFAMOUS CHISEL network, collating information about active hosts, open
Infamous Chisel is a collection of components associated ports, and banners. This can help identify other potential
with Sandworm, designed to enable remote access and exfiltrate targets within the network
information from Android phones.
 Read more: Boosty | Sponsr | TG
• SCP File Transfer: Infamous Chisel can use the Secure storage and inadequate permissions settings on the
Copy Protocol (SCP) for file transfers. This can be used device to access and collect sensitive information.
to exfiltrate data from the infected device or to transfer
malicious files onto the device • Command and Control (C2) and Exfiltration:
Infamous Chisel configures and executes Tor with a
• Information Exfiltration: Infamous Chisel performs hidden service, which forwards to a modified Dropbear
periodic scanning of files and network information for binary providing an SSH connection. This setup allows
exfiltration. System and application configuration files the malware to establish a covert communication
are exfiltrated from an infected device channel with the infected device, exploiting network
protocols and services to maintain control over the
• Device Information Collection: Infamous Chisel device and exfiltrate collected data.
collects various system device information, commercial
application information, and applications specific to the • Network Scanning and Lateral Movement: The
military sector malware contains functionality to scan the local
network, collating information about active hosts, open
• Automated Exfiltration: Infamous Chisel ports, and banners. This capability suggests that
automatically exfiltrates files at regular intervals Infamous Chisel exploits the network environment of
• Service Stop: Infamous Chisel can stop the legitimate the infected device to identify other potential targets
netd service within the network for lateral movement or further
exploitation
IV. EXPLOITED VULNERABILITIES
V. INFILTRATION
The Infamous Chisel campaign exploits a variety of
vulnerabilities and techniques to enable unauthorized access and The Infamous Chisel campaign exfiltrates information from
control over targeted Android devices. the Infamous Chisel infected Android devices through a series of automated and
campaign exploits a combination of system vulnerabilities, manual processes. The malware, associated with the Sandworm
insecure configurations, and network protocols to achieve its threat actor, performs periodic scanning of files and network
objectives. These include gaining persistence and elevated information for exfiltration. It searches for files matching a
privileges, evading detection, accessing credentials, collecting predefined set of extensions and exfiltrates system and
sensitive information, establishing covert command and control application configuration files from the infected device.
channels, and potentially moving laterally within the network. The exfiltration process is detailed as follows:
The primary vulnerabilities and techniques exploited by • File Hashing and Avoiding Duplication: When a file
Infamous Chisel include (without specific CVE): is selected for exfiltration, it is hashed using MD5 and
• Persistence and Privilege Escalation: Infamous Chisel cross-referenced with a list of previously sent file
achieves persistence on the infected device by replacing hashes held in a file at one of three locations supporting
the legitimate netd system binary. This replacement different Android versions. This ensures that the same
allows the malicious netd to execute as root, thereby file isn't sent multiple times.
gaining elevated privileges. • File exfiltration from data directories: The malware
• Defense Evasion: The malware employs several searches specified directories for files with certain
defense evasion techniques. For instance, it checks that extensions and exfiltrates them.
it is executed by init and at the path for the legitimate • Exfiltration of configuration and configuration
netd, ensuring its malicious activities are less likely to backup files: The malware searches for .json or
be detected. Additionally, the blob component .json.bak files in specified directories and exfiltrates
decompresses executables from bzip archives, which them.
could be a method to evade detection by unpacking its
payload only after it has bypassed initial security checks. • File Exfiltration: The malware exfiltrates files using a
HTTP POST request. The server response is expected
• Credential Access: Infamous Chisel uses the tcpdump to be HTTP, and the exfiltration is considered complete
utility to sniff network interfaces and monitor network when the server sends 'Success' anywhere in its
traffic, potentially capturing credentials transmitted over response.
the network. It also scrapes multiple files containing
credentials and key information, exploiting the storage • Information Gathering and Exfiltration: Infamous
and handling of sensitive information on the device to Chisel collects various hardware configuration
gain unauthorized access to accounts and services. information about the device and writes this
information to files in the /data/local directory, which
• Discovery and Collection: The malware performs are then exfiltrated. This includes the Android ID,
extensive discovery and collection activities, such as networking information, a list of installed applications,
enumerating data directories to discover files of interest, and various device hardware information.
collecting GPS information, listing installed packages,
and gathering various system information. This • Local Area Network Scanning: The malware
indicates that Infamous Chisel exploits the lack of secure includes a built-in network scanner that performs IP
 Read more: Boosty | Sponsr | TG
scanning of the local network to discover other devices. The Infamous Chisel campaign primarily targeted Android
The results of this scan are exfiltrated immediately, devices used by the military sector. The malware, associated
providing the attackers with information that could with the Sandworm activity, was designed to enable remote
facilitate lateral movement within the network. access and exfiltrate information from these devices. The
campaign was identified and reported by multiple organizations
• Exfiltration Frequency: The malware is designed to including the UK National Cyber Security Centre (NCSC), the
automatically exfiltrate files at regular intervals, with US National Security Agency (NSA), US Cybersecurity and
specific intervals set for different types of data Infrastructure Security Agency (CISA), US Federal Bureau of
collection. For example, file and device information Investigation (FBI), New Zealand’s National Cyber Security
compilation takes place every 23 hours and 53 minutes, Centre (NCSC-NZ), the Canadian Centre for Cyber Security,
while sensitive military information is siphoned every and Australian Signals Directorate (ASD).
10 minutes.
• Use of Tor and SSH for Secure Exfiltration: VII. INFECTING WAYS
Infamous Chisel uses Tor and SSH for command and Based on the capabilities and methods of operation described
control communications, providing an encrypted in the document, we can infer some potential infection vectors
channel that can be difficult to detect and intercept. that such a sophisticated malware campaign use:
This setup allows the malware to maintain a covert
• Phishing Attacks: Attackers may use phishing
communication channel with the infected device,
techniques to trick users into installing malicious
making detection and mitigation more challenging
applications or clicking on links that lead to the
When a file is selected for exfiltration, it is MD5-hashed and download of the malware.
cross-referenced with a list of previously sent file hashes held in
a file at one of three locations supporting different Android • Exploiting Vulnerabilities: The malware may exploit
versions. The first existing directory path will be used: known vulnerabilities in the Android operating system
/sdcard/Android/data/.google.index, or in installed applications to gain unauthorized access
/storage/emulated/0/Android/data/.google.index, or and install itself.
/storage/emulated/1/Android/data/.google.index. • Social Engineering: Social engineering tactics could be
The file exfiltration is considered complete when the server used to convince users to grant permissions or disable
sends "Success" anywhere in its response. This exfiltration uses security features that would otherwise prevent the
a Hypertext Transfer Protocol (HTTP) POST, and this server malware from executing or gaining persistence.
response is also expected to be HTTP, but this is not explicitly • Third-Party App Stores: Infamous Chisel could be
checked for. The 16 raw bytes of the MD5 are appended to the distributed through third-party app stores or websites
end of the .google.index file, ensuring that the same file isn't sent offering infected applications that appear legitimate.
multiple times. As the .google.index file contains raw bytes,
without prior knowledge, it would appear to contain random • Malvertising: Malicious advertisements could redirect
data. The initial allocation size is 256 Kb filled with NULLs users to websites that automatically download and
providing space for up to a maximum of 16,384 file hashes. All install the malware on their devices.
hash entries will be checked for every file prior to exfiltration.
• Spear Phishing: Targeted spear-phishing campaigns
When the end of the .google.index file is reached, the position is
could be used to infect devices of specific individuals or
reset to the start, overwriting the previous hashes. This means if
organizations with the malware.
the number of files to exfiltrate from the device exceeds 16,384,
files will be sent multiple times • Supply Chain Attack: Compromising software supply
The netd component of Infamous Chisel enters a main loop chains to inject malicious code into legitimate
upon execution, where various timers trigger the execution of applications could be another method, although this is a
different tasks, including file and device information more sophisticated and less common approach.
exfiltration. This process occurs every 86,000 seconds VIII. PROACTIVE AND REACTIVE MEASURES
(approximately 23 hours, 53 minutes, and 20 seconds), during
which the malware searches specified directories for files The approach to defending against such sophisticated
matching a list of extensions and collects various hardware malware campaigns typically involves a combination of
configuration information about the device. The collected proactive and reactive cybersecurity practices. It is important for
information is written to files in the /data/local directory and organizations to adopt a layered security approach that includes
then exfiltrated. both preventive and detective controls to protect against
sophisticated malware campaigns. Additionally, staying
VI. IMPACT & GEO SCOPE informed about the latest cyber threats and collaborating with
The impact of Infamous Chisel on Android devices is cybersecurity agencies and industry partners can enhance an
significant. It leads to loss of sensitive information, privacy organization's ability to defend against such threats
breaches, and potential misuse of the device for further Proactive measures include:
malicious activities.
• Cybersecurity Awareness and Training: Educating
employees about the risks of malware and the
 Read more: Boosty | Sponsr | TG
importance of following security best practices, such as • Keep Software Updated: Regularly update the Android
not clicking on suspicious links or downloading operating system and all installed applications to ensure
unverified attachments. that known vulnerabilities are patched. Malware often
exploits security flaws in outdated software.
• Regular Software Updates: Ensuring that all
software, including operating systems and • Install Security Software: Use reputable antivirus and
applications, are kept up-to-date with the latest security anti-malware solutions designed for Android devices.
patches to mitigate known vulnerabilities. These can help detect and remove malicious software.
• Robust Anti-Virus and Anti-Malware Solutions: • Avoid Unknown Sources: Disable the installation of
Deploying comprehensive anti-virus and anti-malware apps from unknown sources in the device settings. Only
solutions that can detect and prevent the execution of download apps from trusted sources like the Google
malicious code on organizational devices. Play Store.
• Network Security: Implementing network security • Be Cautious with Links and Attachments: Do not
measures such as firewalls, intrusion detection systems click on links or download attachments from unknown
(IDS), and intrusion prevention systems (IPS) to or suspicious sources. Phishing is a common method
monitor and control incoming and outgoing network used to distribute malware.
traffic based on an applied rule set.
• Use a VPN: When connecting to public Wi-Fi networks,
• Access Controls: Enforcing strict access controls and use a Virtual Private Network (VPN) to encrypt your
using the principle of least privilege to ensure that users internet connection and protect against network sniffing.
have only the access necessary to perform their job
functions. • Enable Two-Factor Authentication (2FA): Use 2FA
for online accounts to add an extra layer of security,
• Incident Response Planning: Developing and making it harder for attackers to gain access even if they
maintaining an incident response plan to quickly and manage to steal credentials.
effectively respond to potential security incidents.
• Monitor Network Traffic: For organizations,
Reactive measures include: monitoring network traffic for unusual activity can help
detect the presence of malware like Infamous Chisel.
• Threat Intelligence Sharing: Participating in threat
Implement network segmentation to limit the spread of
intelligence sharing with other organizations and
malware.
cybersecurity agencies to stay informed about the latest
threats and mitigation strategies. • Educate Users: Raise awareness among users about the
risks of malware and the importance of following best
• Monitoring and Detection: Continuously monitoring
security practices.
systems for signs of compromise and having detection
mechanisms in place to alert on suspicious activities. • Backup Important Data: Regularly backup important
data stored on the device. In case of a malware infection,
• Forensic Analysis: Conducting forensic analysis in the
having backups can prevent data loss.
event of a security breach to understand the scope of
the compromise, eradicate the threat, and recover • Use Device Encryption: Enable device encryption to
affected systems. protect the data on your device. This makes it more
difficult for attackers to access your information if the
• Regular Security Audits: Performing regular security
device is compromised.
audits and vulnerability assessments to identify and
address security gaps in the organization's • Restrict App Permissions: Review and restrict the
infrastructure. permissions granted to applications. Limiting
permissions can reduce the amount of data an app can
• Backup and Recovery: Maintaining regular backups
access, thereby limiting what can be exfiltrated by
of critical data and having a disaster recovery plan to
malware.
restore operations in the event of a malware attack.
Android Device measures: