FBI, GCHQ joint report warns of crypto-targeting Infamous Chisel malware
A joint advisory report revealed new Russian Infamous Chisel malware is being used to target cryptocurrency wallet and exchange applications, among other data.
The report was a combined effort of the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), the National Cyber Security Centre (NCSC), a part of the UK’s GCHQ, and others.
The malware is associated with activity linked to a hacking unit within Russia’s GRU military intelligence agency known as Sandworm, which has been targeting the Ukrainian military, according to the report. It’s designed to allow continuous access to a compromised Android device via the Tor network and periodically gather and send out victim data from the affected devices.
As part of the unauthorized copying, transfer or retrieval of data, the malware searches for specific application directories on a device, including those related to the web3 browser Brave, Binance and Coinbase apps, the Trust crypto wallet and communications platforms Telegram and Discord. It also targets the Android Keystore system that lets users store private keys, and every file in the directories is extracted.
Hiding in plain sight
The components used by Infamous Chisel are of low to medium sophistication, developed with little regard for the concealment of the malicious activity, according to the report. “Although the components lack basic obfuscation or stealth techniques to disguise activity, the actor may have deemed this not necessary, since many Android devices do not have a host-based detection system,” the agencies said.
However, “even with the lack of concealment functions, these components present a serious threat because of the impact of the information they can collect,” they added.
With digital assets becoming increasingly valuable, cybercriminals have been devising new methods to breach security protocols. Last month, security researchers issued warnings on malware aimed at stealing Apple users’ crypto assets via fake blockchain games, for example.