Volexity found that the Chinese state‑affiliated actor BrazenBamboo weaponized a zero‑day vulnerability in Fortinet’s FortiClient Windows VPN to extract VPN credentials from process memory and integrated that capability into the modular DEEPDATA post‑exploitation framework. The reporting details DEEPDATA, DEEPPOST (file exfiltration), and a new Windows LIGHTSPY variant, along with associated C2 infrastructure and indicators. #BrazenBamboo #DEEPDATA
Keypoints
- Volexity discovered and reported a zero‑day in FortiClient that leaves VPN credentials in process memory, which BrazenBamboo exploited via a DEEPDATA plugin.
- DEEPDATA is a modular Windows post‑exploitation framework with a VFS, loader (data.dll), core components (e.g., frame.dll), and at least 12 plugins for data collection.
- DEEPPOST is a separate exfiltration tool used to send files over HTTPS to a hardcoded API endpoint (e.g., /api/third/file/upload/), typically on port 29983.
- BrazenBamboo is attributed as the developer of multiple families (DEEPDATA, LIGHTSPY, DEEPPOST) with overlapping code, PDBs, URL patterns, and infrastructure.
- A previously undocumented Windows LIGHTSPY variant was found; it uses an in‑memory loader/orchestrator, UDP handshake uniqueness, WebSocket/HTTPS C2, and multiple surveillance plugins.
- C2 infrastructure is sizable and varied (multiple hosts, distinctive URL path patterns and ports), with evidence of operator panels, developer change logs, and tooling for large‑scale data analysis.
MITRE Techniques
- [T1056.001] Keylogging – LIGHTSPY plugin records keystrokes (‘Keyboard records keystrokes’).
- [T1113] Screen Capture – LIGHTSPY plugin records the user’s screen (‘Records the user’s screen using the libavcodev library’).
- [T1123] Audio Capture – DEEPDATA/LIGHTSPY can record audio on compromised devices (‘Record audio on compromised devices.’ / ‘Records audio using the libavcodev library’).
- [T1055] Process Injection – Loader and plugins execute shellcode and employ Heaven’s Gate to run 32‑bit code in 64‑bit processes (‘Contains Heaven’s Gate code to load 32-bit code in 64-bit processes’ / ‘deploys a library to execute shellcode in memory’).
- [T1071.001] Application Layer Protocol: Web Protocols – C2 and communications use WebSocket and HTTPS for command/control and exfiltration (‘uses WebSocket and HTTPS for communication’).
- [T1567.002] Exfiltration Over Web Service – DEEPPOST uploads files via HTTPS to a hardcoded API endpoint (/api/third/file/upload/) for data exfiltration (‘Exfiltration is performed via HTTPS to a hardcoded API endpoint, /api/third/file/upload/’).
- [T1003.001] OS Credential Dumping: LSASS Memory – Use of Mimikatz and memory‑based credential theft techniques on Windows (‘By using Mimikatz’).
- [T1555.003] Credentials from Web Browsers – Plugins collect browser history, cookies, and stored passwords from multiple browsers (‘Collect history, cookies, and passwords from Firefox, Chrome, Opera, and Edge web browsers’).
Indicators of Compromise
- [SHA256] sample/hash – deepdata.zip: 666a4c569d435d0e6bf9fa4d337d1bf014952b42cc6d20e797db6c9df92dd724, localupload.exe SHA256: f4e72145e761bcc8226353bb121eb8e549dc0000c6535bfa627795351037dc8e
- [MD5/SHA1] deeppost binary – localupload.exe MD5: 533297a7084039bf6bda702b752e6b82, SHA1: 20214e2e93b1bb37108aa1b8666f6406fabca8a0
- [IP addresses] C2 hosts – 103.27.109[.]217, 103.27.108[.]207 (overlaps noted with public reporting), and 121.201.109[.]98
- [Filenames] malware components & loaders – deepdata.zip, data.dll, mod.dat, msenvico.dll (FortiClient plugin), localupload.exe, pic32.png / pic64.png
- [URL paths / patterns] C2 path indicators – API endpoint ‘/api/third/file/upload/’ (DEEPPOST), URL path prefix ‘963852741’ (LIGHTSPY), and keyboard‑walk strings like ‘qweasdzxc’ (DEEPDATA URL patterns)
- [Ports] service/C2 ports – DEEPPOST default example port 29983, DEEPDATA ports 28443 / 28992 / 28993 (management, plugin hosting, communication)