A threat actor known as Brazen bamboo exploited an unaddressed security flaw in Fortinet’s FortiClient for Windows to obtain VPN credentials within a modular framework called DEEPDATA.
Volexity, which released the findings on Friday, said it identified a zero-day exploit of the credential disclosure vulnerability in July 2024, describing BrazenBamboo as the developer of DEEPDATA, DEEPPOST, and LightSpy.
“DEEPDATA is a modular Windows post-exploitation tool used to collect a wide range of information from target devices,” security researchers Callum Roxon, Charlie Gardner and Paul Rasconieres said Friday.
The malware first came to light earlier this week when BlackBerry detailed a Windows-based tracking framework used by a company linked to China. APT41 the threat actor can collect data from WhatsApp, Telegram, Signal, WeChat, LINE, QQ, Skype, Microsoft Outlook, DingDing, Feishu, KeePass, as well as app passwords, web browser information, Wi-Fi hotspots, and installed software.
“Since the initial development of the LightSpy spyware implant in 2022, the attacker has worked persistently and methodically to strategically target communications platforms with an emphasis on stealth and persistent access,” BlackBerry’s research team said. noted.
The core component of DEEPDATA is a dynamic link library (DLL) loader named “data.dll” that is designed to decode and run 12 different plug-ins using the orchestrator module (“frame.dll”). Among the plugins is a previously undocumented “FortiClient” DLL that can capture VPN credentials.
“This plug-in was found to exploit a zero-day vulnerability in the Fortinet VPN client on Windows that allows the extraction of credentials for a user from the memory of the client process,” the researchers said.
Volexity said it reported the flaw to Fortinet on July 18, 2024, but noted that the vulnerability remains unpatched. The Hacker News has reached out to the company for comment, and we’ll update when we hear back.
Another tool in BrazenBamboo’s malware portfolio is DEEPPOST, a post-exploitation data-stealing tool capable of transferring files to a remote endpoint.
DEEPDATA and DEEPPOST add to the already powerful cyber espionage capabilities of a threat actor, expanding LightSpy, which is available in various variants for macOS, iOSand now Windows.
“Architecture for a Windows variant LightSpy differs from other documented OS variants,” said Volexity. “This variant is deployed by the installer, which deploys a library to execute shellcode in memory. The shellcode loads and decodes the orchestrator component from the (command and control) server.”
The orchestrator is executed using a bootloader called BH_A006, which was previously used by an alleged Chinese threat group named Space pirateswhich has a history of attacks on Russian organizations.
However, it is currently unclear whether this coincidence is related BH_A006 is commercially available malware or is evidence of a digital quartermaster which is responsible for overseeing a centralized set of tools and techniques among Chinese threat actors.
The LightSpy orchestrator, once launched, uses WebSocket and HTTPS to communicate to steal data, respectively, and uses a total of eight plugins to record from a webcam, launch a remote shell to execute commands, and collect audio, browser data, files, keystrokes, screen captures, and a list installed software.
LightSpy and DEEPDATA have several overlaps at the code and infrastructure level, suggesting that the two malware families are likely the work of a private enterprise tasked with developing hacking tools for government operators, such as to testify by companies such as Chengdu 404 and I- Soon.
“BrazenBamboo is a well-resourced threat actor that supports multi-platform capabilities with longevity of operation,” Volexity concluded. “The breadth and maturity of their capabilities indicates both the capability of the development function and the operational requirements that drive development outcomes.”
