1. DEEPDATA:
– A modular Windows post-exploitation tool
– Exploits a zero-day vulnerability in Fortinet’s FortiClient
– Capable of extracting VPN credentials and sensitive data from various communication platforms
– Uses 12 different plugins managed by a DLL loader
2. DEEPPOST:
– Specialized data exfiltration tool
– Transfers compromised files to remote servers
3. LightSpy:
– Cross-platform malware (Windows, macOS, iOS)
– Features include:
* Webcam recording
* Remote shell execution
* Audio collection
* Browser data theft
* Keylogging
* Screen capture
* Software inventory
Key Points:
– Discovered by Volexity in July 2024
– Fortinet vulnerability remains unpatched
– Shows signs of being developed by a professional enterprise
– Likely connected to Chinese government operations
– Demonstrates sophisticated development capabilities and operational longevity
The malware suite indicates a well-resourced threat actor with advanced cyber espionage capabilities, possibly linked to known Chinese APT groups and private security companies like Chengdu 404 and I-Soon.