Chinese Hackers Deploy DEEPDATA Malware to Steal VPN Credentials Through Fortinet Zero-Day

Chinese Hackers Deploy DEEPDATA Malware to Steal VPN Credentials Through Fortinet Zero-Day

A Chinese threat actor, BrazenBamboo, has developed a sophisticated cyber espionage framework comprising three main tools:

1. DEEPDATA:

– A modular Windows post-exploitation tool

– Exploits a zero-day vulnerability in Fortinet’s FortiClient

– Capable of extracting VPN credentials and sensitive data from various communication platforms

– Uses 12 different plugins managed by a DLL loader

2. DEEPPOST:

– Specialized data exfiltration tool

– Transfers compromised files to remote servers

3. LightSpy:

– Cross-platform malware (Windows, macOS, iOS)

– Features include:

* Webcam recording

* Remote shell execution

* Audio collection

* Browser data theft

* Keylogging

* Screen capture

* Software inventory

Key Points:

– Discovered by Volexity in July 2024

– Fortinet vulnerability remains unpatched

– Shows signs of being developed by a professional enterprise

– Likely connected to Chinese government operations

– Demonstrates sophisticated development capabilities and operational longevity

The malware suite indicates a well-resourced threat actor with advanced cyber espionage capabilities, possibly linked to known Chinese APT groups and private security companies like Chengdu 404 and I-Soon.

Share This Article