Infamous Chisel

On completion of this scan, the .ndata.tmp file is moved to the filename .ndata.csv in the same directory. This file is exfiltrated immediately, and both files removed from the tmp directory.

The contents of this file will appear similar to:

INTERFACE = eth0
SOURCE = 192.168.0.2
IP begin = 192.168.0.0
IP end = 192.168.0.255
PORTS =
PING off
SCAN tcp

*******start*scan********

Host 192.168.0.0: Host 192.168.0.1:
tcp - 135:[ tcp - 139:[ tcp - 443:[ tcp - 445:[
Host 192.168.0.2:
Host 192.168.0.3:
Host 192.168.0.4:

<Remaining hosts omitted for brevity>

The following command line parameters are present, but only a small portion is used:  

-ip, -p, -o, -i, -noping, -udp, -n, -s, -t, -c, -h, --help

Command line help is also included:

Usage minmap -ip* <ip-addr: 192.168.0.1/ip-range: 192.168.0.0/24> -p* <port: 80/port-range: 22,25-125/top> -udp <default tcp> -noping <default yes> -o <out_file> -t <timeout> <-n> -c <try_count> -s <source ip> -i <interface/any> <-h/--help (print this help)

td

The td utility provides Tor directory services and is compiled for ARM with no obvious modifications. The configuration for this is generated by the blob component, used for Tor management, described in the ‘Components (blob)’ section, and saved at the path /data/local/prx.cfg. This file contains:

SocksPort 127.0.0.1:1129 PreferSOCKSNoAuth%sExitPolicy reject *:*
DataDirectory /data/local/prx/
RunAsDaemon 1
HiddenServiceDir /data/local/prx/hs/
HiddenServicePort 34371 127.0.0.1:34371

This configuration provides a Socket Secure version 4 (SOCKS4) connection on the local port 1129 enabling the Tor network to be used. The blob component uses this for network connectivity checks.

The hidden service port is set to 34371 with the directory for hidden service information being set to /data/local/prx/hs/.

During the execution of td an .onion domain for a hidden service is randomly generated at the path /data/local/prx/hs/hostname which is then exfiltrated by netd. The db component performs further configuration detailed in the ‘Multi-call binaries (Watchdog)’ section of this report to enable a SSH connection via this .onion domain. This gives the actor the ability to create an SSH session by connecting to the hidden service across Tor.

blob

The blob component is responsible for configuring Tor services and checking network connectivity. Every 15 seconds the tmp directory is checked for the blob utility, and if found, it is moved to the /data/local directory from the /data/local/tmp/blob directory, overwriting any existing version. Every 6,000 seconds (1 hour and 40 minutes) blob is then run from the /data/local directory.

netd executes blob which is responsible for configuring and executing Tor services provided by td. When run, it performs the following actions:

1. Checks local host for the port 1129 being open, exiting if it is.
2. Checks for the existence of /data/local/td. If this is not present, extracts it from /data/local/td.bz2 (bzip2 compressed data).
3. Creates the configuration file at the path: /data/local/prx.cfg. The contents of which are detailed in the ‘Components (td)’ section above.
4. td is executed with this configuration file being supplied with the -f command line parameter: /data/local/td -f /data/local/prx.cfg.
5. db the modified Dropbear SSH utility is checked for at the path /data/local/db. If this file is not present, it is extracted from /data/local/db.bz2. db is then executed immediately after, with no command line parameters being passed.
6. blob then enters a loop where it performs a network connectivity check against the domain www.geodatatool[.]com connecting on the local SOCKS4 address provided by the td utility 127.0.0[.]1:1129 every 3 minutes.
7. It checks the second byte of the response from this domain to be the character Z (0x5a) to validate a legitimate response has been received from the server. Nothing further is done with the data; this is simply an internet connection check.
8. If this request fails or the server doesn’t return the expected data, blob terminates the execution of td.

tcpdump

The tcpdump utility (version 4.1.1) is compiled for ARM with no obvious modifications. This provides traffic capturing and monitoring functionality via the command line.

Multi-call binaries: db, NDBR_armv7l and NDBR_i686

The db utility contains multiple individual utilities which are selected based on the command line parameters supplied:

The command line help for dropbear, dropbearkey, nmap and scp can be found in the ‘Appendix’ section of this report.

dropbear, present within db, provides secure shell access to the device via the Tor hidden service. IP Tables rules configured allow incoming TCP connections destined for port 34371 through the firewall. The Tor utility executed by blob on the device is configured to provide a hidden service on this port, then forward connections to the local dropbear instance. The .onion address has already been exfiltrated enabling the actor to connect to it. Modifications have been made to dropbear authentication mechanisms.

The scp utility does not appear to have been modified. The nmap utility has the same functionality as the version in netd but is executed manually by actor interaction.

The watchdog, rmflag and mkflag utilities appear to be additional actor-created code that has been incorporated to perform some configuration for dropbear.

The directory sessions.log.d is created under /data/local/tmp/, and puts all standard Dropbear files under this directory alongside the custom actor file remove_file.flag.

Watchdog

The watchdog utility performs setup and executes dropbear. This setup includes:

File and directory creation

• /data/local/tmp/sessions.log.d
• /data/local/tmp/sessions.log.d/.ssh
• /data/local/tmp/sessions.log.d/.ssh/remove_file.flag

remove_file.flag file is created containing the string run when any of the multi-call utilities run Dropbear. This will be collected and exfiltrated by netd giving the actor an indicator that the SSH server is active.

Authorized hosts setup

A host key is placed into the directory:

/data/local/tmp/sessions.log.d/.ssh/authorized_keys

IP Tables Rules

/usr/sbin/iptables is executed with the parameters:

-A INPUT -p tcp --dport 34371 -j ACCEPT -I

mkflag

The mkflag utility creates the directories and files that watchdog creates but does not perform any host file or IP table manipulation, and then runs dropbear.

rmflag

The rmflag utility deletes /data/local/tmp/sessions.log.d/.ssh/remove_file.flag

Modified Dropbear functions

The actor has modified authentication mechanisms in Dropbear.

fill_passwd

The Dropbear function fill_passwd is used to verify that a supplied username is a valid account and return information required to process authentication.

The unmodified source code for this can be found in the ‘Appendix (Dropbear fill_passwd function)’ section of this report.

This function calls multiple Linux library functions, getpwnam, getspnam, getpwuid, but in the modified version actor replacement functions are called instead, each of these are discussed below.

getpwnam

getpwnam Linux library function accepts a username and cross-references it with the passwd file usually stored at /etc/passwd for the corresponding entry containing the colon concatenated fields:

• username
• user password
• user ID
• group ID
• user information
• home directory
• shell program

On most modern systems, an x in the user password field is used to denote that the password hash is stored in the /etc/shadow file that requires root privileges to read. On an Android device, there are typically no such files, so the structure that would usually be retrieved from the passwd file is generated instead.

The actor has replaced this function with their own, where if a particular username is seen it returns a hard-coded response. If the expected username is not seen, the /etc/passwd file is checked for the corresponding username as normal.

getpwuid

getpwuid Linux /library accepts a uid and returns the corresponding structure above typically from the /etc/passwd file. The actor has replaced this function to check for the uid of 0xbeef and return the hard-coded structure detailed above, if found. If 0xbeef is not seen, it will revert to checking /etc/passwd.

getspnam

getspnam Linux library function accepts a username and cross-references it with the shadow file usually stored at /etc/shadow for the corresponding entry that contains the dollar concatenated fields:

• id
• salt
• hash

Typically on an Android device, this function would return NULL, but the actor replacement function uses the Linux version.

There does not appear to be any modifications other than those detailed above, but there may be other patches implemented.

NDBR

The NDBR_armv7l and NDBR_i686 utilities contain multiple individual utilities compiled for ARM and x86 respectively. They both include the above authentication mechanism modification, although with different credentials, and otherwise appear to be the same.

These utilities also have some functionality overlap with the VPNFilter malware but appear to be an evolution.[1] killer killer is a simple program, the main purpose of which is to terminate netd.

It achieves this by performing the following steps:

1. Iterates through all Process Identifiers (PIDs) in the range 2 through to 0x3FFFFF.
2. Checks the first line of /proc/<pid>/status for the string netd.
3. Checks the target of the link referenced at /proc/<pid>/exe against netd.
4. Checks the executable name is not netd_ (The legitimate backup executed by the malicious netd).
5. Terminates the malicious netd leaving the legitimate netd_ running.

Communications

netd file exfiltration

When a file is to be exfiltrated, a Transport Layer Security (TLS) connection is initiated to a hardcoded local IP and port.

If a connection to the local IP and port fails, a hard-coded domain is used as a fallback connection. The IP address for this domain is resolved using a request to dns.google.

POST /dns-query HTTP/1.1 
Host: dns.google
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0)
Gecko/20100101 Firefox/47.0
Accept: application/dns-message Content-Type: application/dns-message
Content-Length:

The following HTTP Post request is used to exfiltrate data:

• The Android ID is generated by the initial script run, using the command settings get secure android_id.
• Type denotes the exfiltration type:
  • 0 is used for the file searches, triage script and configurations files.
  • 1 is used for other information such as the Tor domain.

Conclusion

The Infamous Chisel components are low to medium sophistication and appear to have been developed with little regard to defence evasion or concealment of malicious activity. 

The searching of specific files and directory paths that relate to military applications and exfiltration of this data reinforces the intention to gain access to these networks. Although the components lack basic obfuscation or stealth techniques to disguise activity, the actor may have deemed this not necessary, since many Android devices do not have a host-based detection system Two interesting techniques are present in Infamous Chisel:

• the replacement of the legitimate netd executable to maintain persistence
• the modification of the authentication function in the components that include dropbear

These techniques require a good level of C++ knowledge to make the alterations and an awareness of Linux authentication and boot mechanisms.

Even with the lack of concealment functions, these components present a serious threat because of the impact of the information they can collect.

Detection

Indicators of compromise

Indicators of compromise suspicious in the context of an Android device

Rules and signatures

Appendix

Dropbear unmodified fill_passwd function

void fill_passwd(const char* username) {       
            struct passwd *pw = NULL;     
            if (ses.authstate.pw_name) 
                   m_free(ses.authstate.pw_name);     
            if (ses.authstate.pw_dir)
                   m_free(ses.authstate.pw_dir);
           if (ses.authstate.pw_shell) 
                   m_free(ses.authstate.pw_shell);
           if (ses.authstate.pw_passwd)
                   m_free(ses.authstate.pw_passwd);

           pw = getpwnam(username);
           if (!pw) {
            return;
      }

      ses.authstate.pw_uid = pw->pw_uid;       
      ses.authstate.pw_gid = pw->pw_gid;   
      ses.authstate.pw_name = m_strdup(pw->pw_name);       
      ses.authstate.pw_dir = m_strdup(pw->pw_dir);   
      ses.authstate.pw_shell = m_strdup(pw->pw_shell);
      {
            char *passwd_crypt = pw->pw_passwd;
#ifdef HAVE_SHADOW_H
            /* get the shadow password if possible */
            struct spwd *spasswd = getspnam(ses.authstate.pw_name);
            if (spasswd && spasswd->sp_pwdp) {
                  passwd_crypt = spasswd->sp_pwdp;
            }
#endif
            if (!passwd_crypt) {
                  /* android supposedly returns NULL */
                  passwd_crypt = "!!";
            }
            ses.authstate.pw_passwd = m_strdup(passwd_crypt);
      }
}

Dropbear unmodified login_init_entry function

/* login_init_entry(struct logininfo *, int, char*, char*, char*)
* - initialise a struct logininfo  *
* Populates a new struct logininfo, a data structure meant to carry
* the information required to portably record login info.
*
* Returns: 1
*/

int
login_init_entry(struct logininfo *li, int pid, const char *username,
         const char *hostname, const char *line)
{
      struct passwd *pw;

      memset(li, 0, sizeof(*li));

      li->pid = pid;

      /* set the line information */

      if (line)
            line_fullname(li->line, line, sizeof(li->line));

      if (username) {
            strlcpy(li->username, username, sizeof(li->username));
            pw = getpwnam(li->username);
            if (pw == NULL)
                  dropbear_exit("login_init_entry: Cannot find user

\"%s\"",
                              li->username);
            li->uid = pw->pw_uid;
      }

      if (hostname)
           strlcpy(li->hostname, hostname, sizeof(li->hostname));

      return 1;

Dropbear unmodified sessionpty function

/* Set up a session pty which will be used to execute the shell or program.
* The pty is allocated now, and kept for when the shell/program executes.
* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE
*/

static int sessionpty(struct ChanSess * chansess) {

      unsigned int termlen;
      char namebuf[65];
      struct passwd * pw = NULL;

      TRACE(("enter sessionpty"))

      if (!svr_pubkey_allows_pty()) {
            TRACE(("leave sessionpty : pty forbidden by public key option"))
             return DROPBEAR_FAILURE;
      }

      chansess->term = buf_getstring(ses.payload, &termlen);
      if (termlen > MAX_TERM_LEN) {
            /* TODO send disconnect ? */
            TRACE(("leave sessionpty: term len too long"))
            return DROPBEAR_FAILURE;
      }

      /* allocate the pty */
      if (chansess->master != -1) {
              dropbear_exit("Multiple pty requests");
      }

      if (pty_allocate(&chansess->master, &chansess->slave, namebuf, 64) == 0) {
            TRACE(("leave sessionpty: failed to allocate pty"))
            return DROPBEAR_FAILURE;
      }        

      chansess->tty = m_strdup(namebuf);
      if (!chansess->tty) {
          dropbear_exit("Out of memory"); /* TODO disconnect */
      }

      pw = getpwnam(ses.authstate.pw_name);
      if (!pw)
            dropbear_exit("getpwnam failed after succeeding previously");
      pty_setowner(pw, chansess->tty);

      /* Set up the rows/col counts */
      sessionwinchange(chansess);

      /* Read the terminal modes */
      get_termmodes(chansess);

      TRACE(("leave sessionpty"))
      return DROPBEAR_SUCCESS;
}

Nmap command line options

Dropbear SSH client v2020.81
https://matt.ucc.asn.au/dropbear/dropbear.html
Usage: dbclient [options] [user@]host[/port][,[user@]host/port],...]
[command]
-p <remoteport>
-l <username>
-t    Allocate a pty
-T    Don't allocate a pty
-N    Don't run a remote command
-f    Run in background after auth
-y    Always accept remote host key if unknown
-y -y Don't perform any remote host key checking (caution)
-s    Request a subsystem (use by external sftp)
-o option     Set option in OpenSSH-like format ('-o help' to list options)
-i <identityfile>   (multiple allowed, default .ssh/id_dropbear) -A    Enable agent auth forwarding
-L <[listenaddress:]listenport:remotehost:remoteport> Local port forwarding
-g    Allow remote hosts to connect to forwarded ports
-R <[listenaddress:]listenport:remotehost:remoteport> Remote port forwarding
-W <receive_window_buffer> (default 24576, larger may be faster, max 1MB)
-K <keepalive>  (0 is never, default 30)
-I <idle_timeout>  (0 is never, default 1800)
-B <endhost:endport> Netcat-alike forwarding
-J <proxy_program> Use program pipe rather than TCP connection
-c <cipher list> Specify preferred ciphers ('-c help' to list options)-m <MAC list> Specify preferred MACs for packet verification (or '-m help')
-b    [bind_address][:bind_port]
-V    Version

scp
usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
           [-l limit] [-P port] [-S program]
           [[user@]host1:]file1 [...] [[user@]host2:]file2

Dropbearkey command line options

Must specify a key filename
Usage: dropbearkey -t <type> -f <filename> [-s bits]
-t type       Type of key to generate. One of:
                  rsa
                  dss
                  ecdsa
                  ed25519
-f filename    Use filename for the secret key.
                     ~/.ssh/id_dropbear is recommended for client keys.
-s bits    Key size in bits, should be a multiple of 8 (optional)
              DSS has a fixed size of 1024 bits ECDSA has sizes 256 384 521 
              Ed25519 has a fixed size of 256 bits
-y           Just print the publickey and fingerprint for the private key in <filename>.

Dropbear server command line options

Dropbear server v2020.81 https://matt.ucc.asn.au/dropbear/dropbear.html
Usage: dropbear [options]
-b bannerfile     Display the contents of bannerfile before user login
           (default: none)
-r keyfile      Specify hostkeys (repeatable)
            defaults: 
- dss /tmp/sessions.log.d/dropbear_dss_host_key
- rsa /tmp/sessions.log.d/dropbear_rsa_host_key
- ecdsa /tmp/sessions.log.d/dropbear_ecdsa_host_key
- ed25519 /tmp/sessions.log.d/dropbear_ed25519_host_key
-R          Create hostkeys as required
-F          Don't fork into background
(Syslog support not compiled in, using stderr)
-w         Disallow root logins
-G         Restrict logins to members of specified group
-s          Disable password logins
-g          Disable password logins for root
-B          Allow blank password logins
-T          Maximum authentication tries (default 10)
-j            Disable local port forwarding
-k           Disable remote port forwarding
-a          Allow connections to forwarded ports from any host
-c command Force executed command
-p [address:]port
            Listen on specified tcp port (and optionally address),
            up to 10 can be specifie
            (default port is 2222 if none specified)
-P PidFile Create pid file PidFile
            (default /var/run/sessionlog.pid)
-i          Start for inetd
-W <receive_window_buffer> (default 24576, larger may be faster, max 1MB)
-K <keepalive>  (0 is never, default 30, in seconds)
-I <idle_timeout>  (0 is never, default 1800, in seconds)
-V          Version

Disclaimer

This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. 

Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk. 

All material is UK Crown Copyright ©