Keypoints
- Infamous Chisel persists by replacing the legitimate /system/bin/netd so the malicious netd runs as root while netd_ preserves original functionality.
- netd performs scheduled collection and automated exfiltration (every 86,000 seconds) of files matching a long predefined extension list from multiple storage and app directories.
- Collected files are MD5-hashed and tracked in a rotating binary index (.google.index) to avoid re-sending; exfiltration completes when the server replies with “Success”.
- blob deploys/configures Tor (td) to create a hidden service forwarding to a modified Dropbear (db/ndbr) SSH instance; iptables allow TCP port 34371 and Tor exposes a local SOCKS proxy on 127.0.0.1:1129.
- Multi-call binaries (db, NDBR_armv7l, NDBR_i686) include modified Dropbear authentication functions to allow covert SSH access; supporting tools include tcpdump, nmap, scp, watchdog, mkflag, and rmflag.
- Communications use TLS to a hard-coded local IP/port (likely a local forward/VPN) with a fallback domain resolution via dns.google and a POST format: POST /server.php?ver=16&bid=%s&type=%d with raw file payloads.
MITRE Techniques
- [T1569] System Services – Used to execute and replace system services. (‘Infamous Chisel – netd replaces the legitimate netd.’)
- [T1398] Boot or Logon Initialization Scripts (Mobile) – Replaces netd to maintain execution on boot. (‘Infamous Chisel – netd replaces the legitimate netd.’)
- [T1625] Hijack Execution Flow (Mobile) – netd is substituted and executed by init to inherit root privileges. (‘Infamous Chisel – netd replaces the legitimate netd and is executed by init inheriting root privileges.’)
- [T1626] Abuse Elevation Control Mechanism (Mobile) – netd executes shell scripts as root to escalate capabilities. (‘Infamous Chisel – netd executes shell scripts as the root user of the device.’)
- [T1629] Impair Defenses (Mobile) – netd validates being run by init and at the netd path to evade detection. (‘Infamous Chisel – netd checks that it is executed by init and at the path for the legitimate netd.’)
- [T1406] Obfuscated Files or Information (Mobile) – blob decompresses executables from bzip archives to hide payloads. (‘Infamous Chisel – blob decompresses executables from bzip archives.’)
- [T1557] Adversary-in-the-Middle – mDNSResponder deployed could be used for DNS poisoning. (‘Infamous Chisel – mDNSResponder is deployed alongside this malware and could potentially be used for DNS poisoning.’)
- [T1634] Credentials from Password Stores (Mobile) – netd scrapes files containing credentials and key information. (‘Infamous Chisel – netd scrapes multiple files containing credentials and key information.’)
- [T1040] Network Sniffing – tcpdump is deployed to sniff network interfaces and capture traffic. (‘Infamous Chisel – tcpdump is deployed alongside this malware and has the ability to sniff network interfaces and monitor network traffic.’)
- [T1420] File and Directory Discovery (Mobile) – netd enumerates data directories to locate files of interest. (‘Infamous Chisel – netd enumerates multiple data directories to discover files of interest.’)
- [T1430] Location Tracking (Mobile) – netd collects GPS/location information. (‘Infamous Chisel – netd collects GPS information.’)
- [T1418] Software Discovery (Mobile) – netd lists installed packages to profile device software. (‘Infamous Chisel – netd collects a list of installed packages.’)
- [T1426] System Information Discovery (Mobile) – netd gathers Android ID and hardware details. (‘Infamous Chisel – netd collects various system information such as the Android ID and other hardware information.’)
- [T1422] System Network Configuration Discovery (Mobile) – netd collects IP interface configuration information. (‘Infamous Chisel – netd collects IP interface configuration information.’)
- [T1421] System Network Connections Discovery (Mobile) – netd scans local IP ranges to find active hosts and open ports. (‘Infamous Chisel – netd performs IP scanning of the local network to discover other devices.’)
- [T1533] Data from Local System (Mobile) – netd automatically collects files matching extension lists. (‘Infamous Chisel – netd automatically collects files from the local system based on a predefined list of file extensions.’)
- [T1074.001] Data Staged: Local Data Staging – netd creates temporary files to hold collected information before transfer. (‘Infamous Chisel – netd creates multiple temporary files in the system to hold collected information.’)
- [T1114.001] Email Collection: Local Email Collection – netd exfiltrates communication-related files from application/data directories. (‘Infamous Chisel – netd exfiltrates files from application and data directories containing communication data.’)
- [T1473] Application Layer Protocol (Mobile) – db provides SCP functionality for file transfer. (‘Infamous Chisel – db provides SCP functionality.’)
- [T1521] Encrypted Channel (Mobile) – td (Tor) provides a hidden service relaying connections to SSH. (‘Infamous Chisel – td is deployed alongside this malware providing a Tor hidden service relaying connections to SSH program.’)
- [T1572] Protocol Tunnelling – td provides a local SOCKS connection used by db. (‘Infamous Chisel – td is deployed alongside this malware providing a local Socks connection for db.’)
- [T1219] Remote Access Software – db offers an SSH server and client for remote access. (‘Infamous Chisel – db provides a SSH server and client.’)
- [T1020] Automated Exfiltration – netd automatically exfiltrates files at regular intervals. (‘Infamous Chisel – netd automatically exfiltrates files at regular intervals.’)
- [T1029] Scheduled Transfer – netd schedules regular automated transfers. (‘Infamous Chisel – netd automatically exfiltrates files at regular intervals.’)
- [T1489] Service Stop – The malware replaces legitimate netd (impacting service availability). (‘Infamous Chisel – netd replaces the legitimate netd.’)
Indicators of Compromise
- [File Hashes] Malware binary hashes – SHA-256: 5866e1fa5e262ade874c4b869d57870a88e6a8f9d5b9c61bd5d6a323e763e021, 2d19e015412ef8f8f7932b1ad18a5992d802b5ac62e59344f3aea2e00e0804ad, and many more hashes (see report).
- [Filenames / Binaries] Malware components – killer, blob, netd, db, ndbr_armv7l (multi-call), and tcpdump (actor-compiled).
- [File Paths] Persistence and config files – /system/bin/netd_, /data/local/blob, /data/local/prx/hs/hostname, /sdcard/Android/data/.google.index (exfiltration hash index).
- [Domains] Fallback C2/domain – www.geodatatool[.]com used for fallback communications.
- [Network / Ports] Local Tor and hidden service ports – 127.0.0.1:1129 (SOCKS), 127.0.0.1:34371 (hidden service forwarding to Dropbear); iptables allowing TCP dport 34371.
- [HTTP Pattern] C2 POST URI and headers – POST /server.php?ver=16&bid=%s&type=%d with User-Agent: curl/7.47 (and Windows-looking DNS-over-HTTPS POST to dns.google for resolution).
Infamous Chisel implements persistence by substituting the system netd binary: the malicious netd detects being launched by init and forks/executes the genuine netd backed up as /system/bin/netd_ so the system behavior remains while the malicious process runs as root. If not located at /system/bin/netd the malware re-parents itself to PID 1 and attempts to terminate the legitimate netd. A separate killer binary iterates /proc to identify and kill the malicious netd process while leaving netd_ running.
The netd component drives periodic data collection and staged exfiltration. It runs an indefinite main loop where timers trigger tasks (notably every 86,000 seconds for full file triage). netd recursively searches specified directories (e.g., /sdcard, /storage/emulated/0/, /data/data/org.telegram.messenger, /data/data/com.google.android.gm, and military-specific app folders) for files with a long extension list (.dat, .ovpn, wa.db, msgstore.db, telephony.db, .pdf, .zip, .png, .jpg, .kml, etc.). Each selected file is MD5-hashed; raw 16-byte MD5 entries are appended into the binary .google.index file (initialized to 256KB, circular buffer supporting ~16,384 hashes) to avoid duplicate exfiltration. Files are POSTed as octet-streams to the C2 with the structure POST /server.php?ver=16&bid=%s&type=%d (Android ID, type 0/1, base64 path, length, raw file). A successful exfiltration is identified by the server returning the string “Success”. netd stages temp files (e.g., /data/local/tmp/.ndata.tmp) and writes triage scripts (/data/local/tmp/.android.cache.sh) which it executes via /system/bin/sh.
Remote access and transport are provided by blob/td/db/ndbr components: blob decompresses packaged Tor (td) and configures a Tor hidden service (DataDirectory /data/local/prx, HiddenServicePort 34371 127.0.0.1:34371) and a local SOCKS listener (127.0.0.1:1129). The multi-call binaries (db, NDBR_armv7l/NDBR_i686) contain modified Dropbear (ssh/scp) code and utilities (nmap, tcpdump, watchdog, mkflag, rmflag). Watchdog/mkflag create /data/local/tmp/sessions.log.d/.ssh, authorized_keys, and a remove_file.flag containing “run” (used as an indicator), then start Dropbear; iptables are configured to allow incoming TCP on port 34371. Dropbear authentication functions (getpwnam, getpwuid, getspnam) are patched to return hard-coded structures for specific usernames/UIDs, enabling covert SSH access. Communications attempt a TLS connection to a hard-coded local IP:port (likely a VPN/local forward) and fall back to a hard-coded domain resolved via dns.google; exfiltration blends into encrypted traffic to evade inspection. Detection focuses on unique file paths, POST URI strings, Tor/hidden-service files under /data/local/prx, and the presence of modified Dropbear and netd replacements.
Read more: https://www.cisa.gov/news-events/analysis-reports/ar23-243a