A threat actor known as BrazenBamboo has exploited an unresolved security flaw in Fortinet’s FortiClient for Windows to extract VPN credentials as part of a modular framework called DEEPDATA.

Volexity, which disclosed the findings Friday, said it identified the zero-day exploitation of the credential disclosure vulnerability in July 2024, describing BrazenBamboo as the developer behind DEEPDATA, DEEPPOST, and LightSpy.

“DEEPDATA is a modular post-exploitation tool for the Windows operating system that is used to gather a wide range of information from target devices,” security researchers Callum Roxan, Charlie Gardner, and Paul Rascagneres said Friday.

The malware first came to light earlier this week, when BlackBerry detailed the Windows-based surveillance framework as used by the China-linked APT41 threat actor to harvest data from WhatsApp, Telegram, Signal, WeChat, LINE, QQ, Skype, Microsoft Outlook, DingDing, Feishu, KeePass, as well as application passwords, web browser information, Wi-Fi hotspots, and installed software.

Cybersecurity

“Since their initial development of the LightSpy spyware implant in 2022, the attacker has been persistently and methodically working on the strategic targeting of communication platforms, with the emphasis on stealth and persistent access,” the BlackBerry threat research team noted.

The core component of DEEPDATA is a dynamic-link library (DLL) loader called “data.dll” that’s engineered to decrypt and launch 12 different plugins using an orchestrator module (“frame.dll”). Present among the plugins is a previously undocumented “FortiClient” DLL that can capture VPN credentials.

“This plugin was found to exploit a zero-day vulnerability in the Fortinet VPN client on Windows that allows it to extract the credentials for the user from memory of the client’s process,” the researchers said.

Volexity said it reported the flaw to Fortinet on July 18, 2024, but noted that the vulnerability remains unpatched. The Hacker News has reached out to the company for comment, and we will update the story if we hear back.

Another tool that’s part of BrazenBamboo’s malware portfolio is DEEPPOST, a post-exploitation data exfiltration tool that’s capable of exfiltrating files to a remote endpoint.

DEEPDATA and DEEPPOST add to the threat actor’s already powerful cyber espionage capabilities, expanding on LightSpy, which comes in different flavors for macOS, iOS, and now Windows.

“The architecture for the Windows variant of LightSpy is different from other documented OS variants,” Volexity said. “This variant is deployed by an installer that deploys a library to execute shellcode in memory. The shellcode downloads and decodes the orchestrator component from the [command-and-control] server.”

The orchestrator is executed by means of a loader called BH_A006, which has been previously put to use as early as by a suspected Chinese threat group referred to as Space Pirates, which has a history of targeting Russian entities.

Cybersecurity

That said, it’s currently not clear if this overlap is due to whether BH_A006 is a commercially available malware or is evidence of a digital quartermaster that’s responsible for overseeing a centralized pool of tools and techniques among Chinese threat actors.

The LightSpy orchestrator, once launched, uses WebSocket and HTTPS for communication for data exfiltration, respectively, and leverages as many as eight plugins to record webcam, launch a remote shell to execute commands, and collect audio, browser data, files, keystrokes, screen captures, and a list of installed software.

LightSpy and DEEPDATA share several code- and infrastructure-level overlaps, suggesting that the two malware families are likely the work of a private enterprise that has been tasked with developing hacking tools for governmental operators, as evidenced by companies like Chengdu 404 and I-Soon.

“BrazenBamboo is a well-resourced threat actor who maintains multi-platform capabilities with operational longevity,” Volexity concluded. “The breadth and maturity of their capabilities indicates both a capable development function and operational requirements driving development output.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source: thehackernews.com/