Beware: Kremlin-Backed Sandworm's 'Infamous Chisel' Malware Targets Major CEX And Crypto Wallets

A malware dubbed "Infamous Chisel," believed to be perpetuated by the Kremlin-backed hacking group Sandworm, has been silently targeting crypto wallets on Android devices.

Infamous Chisel, a new type of malicious software (malware), attacks crypto wallets on Android devices by extracting data from unsuspecting victims' devices using the Tor anonymizer network, according to a new report from the U.K.'s National Cyber Security Centre (NCSC).

It attacks directories linked to crypto apps like Brave Browser, Opera, Binance and Coinbase as well as checks the Android Keystore system for private cryptocurrency keys used in crypto wallets.

Considering Infamous Chisel extracts data, other apps are also not safe from it. Apps like Firefox, Telegram, WhatsApp, Discord, PayPal, Google Chrome, Skype, Viber and Discord, among many others, are vulnerable to the malware's attack.

The report further underlined that some of the data extracted by the malware included data within the directories of Binance and Coinbase, two of the largest centralized crypto exchange platforms, along with the Trust Wallet app.

It is worth noting, however, that the National Cyber Security Centre did not state that the data stolen by Infamous Chisel from said apps could enable attackers to steal crypto assets.

Also, the report did not state if Infamous Chisel caused any theft of any crypto, so far, underlining the possibility that the data stolen using the malware couldn't provide malicious actors with full access to crypto wallets or accounts.

The information about Infamous Chisel came from the "Malware Analysis Report," which claimed that the Russian government-backed Sandworm group is the "actor" using this malware to target Android devices used by the Ukranian Military.

This information has been confirmed by the U.K. National Cyber Security Centre (NCSC), the US National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), US Federal Bureau of Investigation (FBI), New Zealand's National Cyber Security Centre (NCSC-NZ), the Canadian Centre for Cyber Security –part of the Communications Security Establishment (CSE) and Australian Signals Directorate (ASD), according to the report.

"As Russia fails on the battlefield, it continues its malicious activity online, making Ukraine one of the most cyber-attacked nations in the world," Deputy Prime Minister of the U.K., Oliver Dowden, said, adding, "Working with our international allies and through NCSC's world-leading expertise, I'm proud that the UK is challenging Russia's cowardly cyber actors and defending Ukraine."

This is not the first time that Sandworm launched its cyber attack on Ukraine. Beside Infamous Chisel, it deployed RansomBoggs ransomware and infected multiple organizations in Ukraine.

The group also allegedly launched Prestige ransomware on transportation and logistics networks in Poland last Fall.

In April 2022, the U.S. Justice Department (DOJ) announced the court-authorized take-down of the command and control infrastructure Sandworm used to communicate with network devices infected by the Blink botnet. The DOJ also offered a $10 million reward for GRU officials associated with the Sandworm group.