Russia's Sandworm crew is using an Android malware strain dubbed Infamous Chisel to remotely access Ukrainian soldiers' devices, monitor network traffic, access files, and steal sensitive information, according to a Five Eyes report published Thursday.

The Sandworm gang, which Western government agencies have previously linked to Russia's GRU military intelligence unit, was behind a series of attacks leading up to the bloody invasion of neighboring Ukraine. They've continued infecting that country and its allies' computers with data wipers, info-stealers, ransomware, and other malicious code ever since.

Ukraine's security agency spotted and blocked Sandworm's latest campaign earlier this month when the Kremlin-backed cyber goons were attempting to use Infamous Chisel to break into the army's combat data exchange system. This attempt involved ten samples of the malware, all designed to steal data, according to the Security Service of Ukraine (SBU).

"The SBU operational response prevented Russia's intelligence services from gaining access to sensitive information, including the activity of the Armed Forces, deployment of the Defense Forces, their technical provision, etc," the Ukrainian security agency said.

In today's analysis of the Russian malware, the UK National Cyber Security Centre (NCSC), the NSA, the US government's CISA, the FBI, New Zealand's National Cyber Security Centre (NCSC-NZ), the Canadian Centre for Cyber Security, and Australian Signals Directorate (ASD) confirmed Ukraine's reports of Sandworm's new mobile malware.

Though the write-ups are technical, provide indicators of compromise for those worried about picking up the malware, and dive into the software nasty's code, it's not entirely clear how it gets onto targets' phones. It appears one way is through a debugging tool. It seems to us that its Russians operators have to go to some lengths to get the spyware onto Ukrainians' phones.

Infamous Chisel is a collection of components designed to snoop on the infected device and provides persistent backdoor access via the Tor network. It does this by "configuring and executing Tor with a hidden service which forwards to a modified Dropbear binary providing a SSH connection," the report says.

After setting up shop on victims' mobile devices, the malware occasionally checks for information and files of interest to the Russian military, and scans the local network looking for active hosts and open ports.

It also steals and sends sensitive data back to the GRU, including system device information, commercial application information, and applications specific to the Ukrainian military.

"The exposure of this malicious campaign against Ukrainian military targets illustrates how Russia's illegal war in Ukraine continues to play out in cyberspace," NCSC Director of Operations Paul Chichester said in a statement.

This latest malware campaign follows a slew of other software nasties that Sandworm has used against Ukrainian victims before and during the war. This includes at least two types of disk-wiping malware, CaddyWiper and Industroyer2, plus destructive cyberattacks against an Ukrainian ISP and infrastructure agencies.

Last fall, Sandworm infected "multiple organizations in Ukraine" with RansomBoggs ransomware, and deployed Prestige ransomware against logistics and transportation networks in Poland, according to security researchers.

Ukraine and international law enforcement continue to fight back, and in April 2022 the US Justice Department revealed details of a court-authorized take-down of command-and-control infrastructure Sandworm used to communicate with network devices infected by its Cyclops Blink botnet.  

The US Rewards for Justice program has also offered a $10 million reward for GRU officers linked to the Sandworm gang. ®

https://www.theregister.com//2023/08/31/sandworm_infamous_chisel/