New Russian Chisel malware is targeting Ukrainian military

In the ongoing war between Russia and Ukraine, cyberattacks have become a popular way for Russian forces to steal sensitive information. Now, according to a new report from the Five Eyes alliance nations – Australia, Canada, New Zealand, the United Kingdom, and the United States, Russian state hackers have deployed a new mobile malware strain called Infamous Chisel, which aims to steal crucial information necessary for Ukraine’s ongoing counter-offensive.

The Security Service of Ukraine (SBU) first discovered the malware back in August and highlighted the fact that Russian forces confiscated tablets utilized by the Ukrainian military on the battlefield and repurposed them as launchpads to remotely propagate the malware onto other Android devices.

How does the malware work?

As explained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Infamous Chisel malware works by replacing legitimate code within a system with external coding, creating a situation where the malware can persist while avoiding easy detection. Moreover, the malware not only permits threat actors to scan devices for information and files matching predefined file extensions but also enables them to transmit these files via established remote access channels. To make this possible, it configures and activates Tor with a hidden service, which subsequently connects to a modified version of Dropbear, offering SSH connections.

“Thursday’s warning reflects the need for all organizations to keep their Shields Up to detect and mitigate Russian cyber activity and the importance of continued focus on maintaining operational resilience under all conditions,” said Eric Goldstein, the Executive Assistant Director for Cybersecurity at CISA.

However, despite its functionality, researchers have found that the malware lacks basic stealth tactics to conceal its activities. This is primarily because it capitalizes on the fact that many Android devices do not possess host-based detection systems.

Who is behind the attack?

According to the report, the hacking group Sandworm, closely affiliated with the Russian Main Intelligence Directorate’s (GRU) Main Centre for Special Technologies (GTsST), is the principal perpetrator behind this attack. Furthermore, the group has been operational since 2014 and has been responsible for numerous other hacking campaigns.