DeepData Malware Exploits Fortinet VPN Zero-Day in Sophisticated Espionage Campaign

DeepData Malware Exploits Fortinet VPN Zero-Day in Sophisticated Espionage Campaign

Paige Henley Paige Henley
Published on: November 21, 2024 Editor

In a recent cybersecurity development, the DeepData malware framework has been observed exploiting a zero-day vulnerability in Fortinet’s FortiClient VPN for Windows to extract user credentials.

This sophisticated surveillance tool employs multiple plugins to target sensitive information stored in browsers, communication applications, and password managers, and can even record audio via the system’s microphone.

Cybersecurity firm Volexity reported that DeepData leverages an unpatched flaw in FortiClient to access usernames, passwords, and other critical data directly from the application’s memory. This vulnerability, identified in July 2024, remains unaddressed, leaving users exposed to potential breaches.

BlackBerry’s report states: “This plugin (WebBrowser.dll) collects sensitive user information such as cookies, browsing history, passwords, and autocomplete data from popular browsers (Chrome, Firefox, Edge, Opera) […] from the KeePass application installed on the victim’s device. The plugin then sends all collected data to a remote server controlled by the threat actor.”

The DeepData framework is attributed to BrazenBamboo, a China-linked state-sponsored threat actor also responsible for developing the LightSpy malware.

Both DeepData and LightSpy have been utilized by APT41 — a Chinese advanced persistent threat group — to conduct espionage activities targeting journalists, politicians, and political activists in Southeast Asia.

BlackBerry’s analysis highlights similarities between DeepData and LightSpy, including shared plugin structures and overlapping infrastructure, suggesting a coordinated development effort.

Notably, Volexity has identified a Windows variant of the LightSpy malware, expanding its reach beyond the previously documented iOS, Android, and macOS versions. This variant operates differently, executing code in memory and using WebSocket and HTTPS for communication, while maintaining the data collection and surveillance capabilities characteristic of LightSpy.

The discovery of approximately 30 command-and-control servers associated with DeepData and LightSpy showcases the extensive infrastructure supporting BrazenBamboo’s operations. Volexity’s findings indicate that BrazenBamboo is a well-resourced and persistent threat actor with multi-platform capabilities, reflecting a significant and ongoing cybersecurity challenge.

Source of Article