Warning: DEEPDATA Malware Targets Fortinet VPN Credentials

BrazenBamboo Exploits Fortinet VPN Flaw: A Deep Dive into DEEPDATA Framework

In a significant cybersecurity revelation, the threat actor known as BrazenBamboo has successfully exploited a security flaw in Fortinet’s FortiClient for Windows. This vulnerability has allowed them to extract VPN credentials using a sophisticated modular framework named DEEPDATA. Volexity, a cybersecurity firm, disclosed these findings on Friday, highlighting the zero-day exploitation of the credential disclosure vulnerability that was first identified in July 2024.

Understanding the DEEPDATA Framework

According to Volexity’s technical report, BrazenBamboo is not only the developer behind DEEPDATA but also the architect of related tools like DEEPPOST and LightSpy. DEEPDATA functions as a modular post-exploitation tool designed for the Windows operating system, enabling attackers to gather extensive information from targeted devices.

Key Features of BrazenBamboo’s Malware

  • Dynamic-Link Library (DLL) Loader: The core of DEEPDATA is a DLL loader known as "data.dll," which is capable of decrypting and launching up to 12 different plugins through an orchestrator module called "frame.dll."
  • FortiClient Vulnerability: A notable plugin within DEEPDATA exploits a zero-day vulnerability in the Fortinet VPN client, allowing for the extraction of user credentials directly from the client’s memory.
  • Persistent Access: Since the development of the LightSpy spyware implant in 2022, BrazenBamboo has systematically targeted communication platforms, focusing on stealth and ongoing access.

The Broader Cybersecurity Landscape

The malware’s capabilities extend beyond credential harvesting. BlackBerry recently reported that the China-linked APT41 threat actor has used the DEEPDATA framework to harvest sensitive data from applications including WhatsApp, Telegram, and Microsoft Outlook, among others.

Additional Tools in the BrazenBamboo Arsenal

  • DEEPPOST: This tool specializes in data exfiltration, allowing attackers to transfer files to remote endpoints.
  • LightSpy Variants: LightSpy has multiple versions for macOS, iOS, and now Windows, showcasing the threat actor’s adaptability across different operating systems.

Ongoing Concerns and Future Implications

Volexity reported the identified vulnerability to Fortinet on July 18, 2024, but as of now, it remains unpatched. The lack of a fix raises serious concerns for users relying on FortiClient for secure VPN access. The Hacker News is currently awaiting a response from Fortinet regarding this critical issue.

A Connected Threat Environment

The orchestrator behind the LightSpy malware communicates using WebSocket and HTTPS protocols, facilitating data exfiltration while managing multiple plugins that can record audio, capture screens, and log keystrokes.

Research indicates that there are significant overlaps in the code and infrastructure of LightSpy and DEEPDATA, suggesting a possible collaboration or shared resources among Chinese threat actors.

Conclusion: The Resilience of BrazenBamboo

Volexity’s findings underscore that BrazenBamboo is a well-resourced threat actor with extensive multi-platform capabilities. Their continued development of sophisticated hacking tools reveals a dedicated effort to enhance cyber espionage initiatives.

For more insights into the evolving landscape of cybersecurity threats, feel free to share your thoughts in the comments below or read our related articles on the latest developments in cyber defense.


Interested in staying updated on cybersecurity trends? Follow us on Twitter and LinkedIn for more exclusive content.

Share it

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *