Chinese threat actors use custom post-exploitation toolkit ‘DeepData’ to exploit FortiClient VPN zero-day and steal credentials.
Volexity researchers discovered a vulnerability in Fortinet’s Windows VPN client
that China-linked threat actor BrazenBamboo abused in their DEEPDATA malware. BrazenBamboo is known to be the author of other malware families, including LIGHTSPY, DEEPDATA, and DEEPPOST.DEEPDATA is a modular post-exploitation tool for Windows that allows operators to harvest sensitive information from infected systems. DEEPPOST is a post-exploitation data exfiltration tool used to send files to a remote system and LIGHTSPY is a modular spyware.
Experts noticed that due to this vulnerability, user credentials remain in process memory after a user authenticates to the VPN.
Volexity reported the vulnerability to the security vendor in July, however the flaw has yet to be addressed.
“Volexity verified the presence of these JSON objects in memory and confirmed this approach works against the latest version available at the time of discovery (v7.4.0). Notably, the same approach does not work against older versions of the Fortinet VPN client. Volexity reported this vulnerability to Fortinet on July 18, 2024, and Fortinet acknowledged the issue on July 24, 2024.” reads the advisory. “At the time of writing, this issue remains unresolved and Volexity is not aware of an assigned CVE number.”
Volexity’s report details the DeepData custom malware which is employed in espionage campaigns. The malware exploits the zero-day in Fortinet’s FortiClient to extract VPN credentials and server details from process memory.
DeepData can access and decrypt JSON objects, which contain credentials, in FortiClient’s process memory and exfiltrates them to the attacker’s server using DeepPost.
Once obtained the credentials, threat actors used them for initial network access, lateral movement, and data exfiltration.
Below are the DEEPDATA’s plugins identified by Volexity:
Plugin Name | Plugin Capabilities |
AccountInfo |
Steal credentials from 18 different sources on the compromised device. |
AppData |
Collect data from WeChat, WhatsApp and Signal on the compromised device. |
Audio |
Record audio on compromised devices. |
ChatIndexedDb |
Steal databases from WhatsApp and Zalo chat clients. |
FortiClient |
Extract credentials and server information from process memory of FortiClient VPN processes. |
Outlook |
Collect contacts and emails from local Microsoft Outlook instances. |
SocialSoft |
Steal data from WeChat, Line, QQ, DingDing, Skype, Telegram, and Feishu applications. |
SoftwareList |
List installed software, folders, and files recursively from a base location. |
SystemInfo |
Gather basic enumeration information from the compromised device. |
TdMonitor |
Hook Telegram to retrieve messages from the application. |
WebBrowser |
Collect history, cookies, and passwords from Firefox, Chrome, Opera, and Edge web browsers. |
WifiList |
Collect details of stored WiFi keys and nearby hotspots. |
The researchers recommend restricting VPN access and monitoring for anomalous login activity, they also released indicators of compromise (IoCs) associated with this campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, DeepData)