Amid the constantly evolving landscape of cybersecurity threats, a new and troubling development has surfaced involving malware known as DEEPDATA. Deployed by the notable threat actor BrazenBamboo, DEEPDATA takes advantage of a vulnerability in Fortinet’s FortiClient for Windows to steal VPN credentials. This alarming vulnerability was first reported by Volexity in July 2024 and, worryingly, remains unpatched to this day. This modular post-exploitation tool is tailored for Windows and capable of gathering extensive information from target devices, posing a significant risk to individuals and organizations alike.
The Mechanics of DEEPDATA
The Core Components and Functionality
DEEPDATA is composed of a key module—a dynamic-link library (DLL) loader referred to as “data.dll.” This essential component is responsible for decrypting and launching various plugins through an orchestrator module known as “frame.dll.” These plugins are designed to execute a multitude of tasks, one of which includes exploiting a zero-day vulnerability in the Fortinet VPN client to capture user VPN credentials. This vulnerability represents a serious security lapse and highlights the importance of addressing such issues promptly.
BlackBerry previously highlighted the broader implications of this surveillance framework, noting its connection to the China-linked APT41 threat actor. DEEPDATA’s capabilities for data harvesting across multiple communication and software platforms underscore its stealth and persistent nature. The modular design not only facilitates flexible deployment but also enables the malware to adapt and evolve with emerging cyber threats, making it a formidable tool in the arsenal of cybercriminals.
The Role of Plugins and Data Harvesting
One of the most concerning aspects of DEEPDATA is its use of plugins to extend its functionality. These plugins can perform a wide range of tasks, from capturing sensitive data to executing malicious commands on compromised systems. The sophisticated nature of these plugins allows them to operate undetected for extended periods, thereby increasing the potential damage they can cause. The malware’s capability to exploit a zero-day vulnerability in the Fortinet VPN client to capture user VPN credentials is particularly alarming, as it opens the door to further unauthorized access and data breaches.
BrazenBamboo has invested significant resources into the development of DEEPDATA, reflecting a high level of sophistication and operational capability. The malware’s modular architecture permits continuous updates and enhancements, ensuring its efficacy in the ever-changing cyber threat landscape. This adaptability is a key factor in DEEPDATA’s ability to remain effective over time and highlights the importance of robust cybersecurity measures to protect against such threats.
Additional Arsenal of BrazenBamboo
DEEPPOST and LightSpy
In addition to DEEPDATA, BrazenBamboo’s arsenal includes other potent tools like DEEPPOST and LightSpy. DEEPPOST is another data exfiltration tool, while LightSpy extends its reach across multiple operating systems, including macOS, iOS, and most recently, Windows. The Windows variant of LightSpy employs an installer to deploy a library that executes shellcode in memory, subsequently downloading the orchestrator component from a command-and-control server. This orchestrator, executed by a loader known as BH_A006, communicates through WebSocket and HTTPS protocols to facilitate data exfiltration.
LightSpy and DEEPDATA share several code- and infrastructure-level similarities, indicating that they might be products of a private enterprise. This development model has been seen in previous instances with companies such as Chengdu 404 and I-Soon. The resemblance between these tools suggests a coordinated effort to create versatile and effective malware capable of infiltrating diverse targets and extracting valuable information without raising alarm.
Implications for Cybersecurity
The advanced multi-platform capabilities of tools like DEEPPOST and LightSpy underscore the growing sophistication of cyber threats and the need for comprehensive cybersecurity strategies. Their persistence and stealth make them particularly challenging to detect and neutralize, raising the stakes for both cybersecurity professionals and the organizations they protect. Volexity’s in-depth analysis offers crucial insights into the operational longevity and development sophistication driving these initiatives.
The unresolved Fortinet flaw, in particular, illustrates the pressing demand for timely vulnerability patching and proactive measures to enhance cybersecurity protocols. The rise of modular malware like DEEPDATA necessitates a multi-faceted approach to defense, incorporating regular updates, vigilant monitoring, and collaborative efforts among cybersecurity stakeholders worldwide.
Concluding Thoughts and Next Steps
In the ever-changing world of cybersecurity threats, a new and concerning issue has recently emerged involving malware called DEEPDATA. This malware is deployed by the notorious threat actor BrazenBamboo and exploits a vulnerability in Fortinet’s FortiClient for Windows to steal VPN credentials. This critical vulnerability was first identified by Volexity in July 2024 and, unfortunately, has not been patched yet. DEEPDATA is a versatile post-exploitation tool designed specifically for Windows systems, capable of collecting a wide range of information from targeted devices. This poses a grave risk to both individuals and organizations, as the stolen data can be used for various malicious purposes. With the vulnerability unresolved, the malware continues to pose a significant threat. Users and administrators are advised to remain vigilant, take necessary precautions, and look out for updates or patches from Fortinet to mitigate the risks associated with DEEPDATA.