Cybersecurity researchers have uncovered a sophisticated malware operation targeting Fortinet VPN users through an unpatched security vulnerability in FortiClient for Windows. The threat actor, known as BrazenBamboo, has developed a modular malware framework called DEEPDATA to steal sensitive credentials and data.
The Attack Details
Security firm Volexity discovered the zero-day exploitation in July 2024. The malware uses a dynamic-link library loader ("data.dll") along with an orchestrator module ("frame.dll") to deploy 12 different plugins. One previously unknown plugin specifically targets FortiClient to extract VPN credentials from the application's memory.
While Fortinet was notified about the vulnerability on July 18, 2024, the security flaw remains unpatched, leaving users potentially exposed.
Broader Malware Ecosystem
DEEPDATA is part of a larger collection of surveillance tools attributed to BrazenBamboo, including:
- DEEPPOST: A data exfiltration tool for transferring files to remote servers
- LightSpy: A multi-platform spyware targeting Windows, macOS, and iOS devices
The Windows version of LightSpy employs eight plugins to:
- Record webcam footage
- Launch remote command shells
- Collect audio
- Gather browser data
- Steal files
- Log keystrokes
- Capture screen images
- List installed software
Connection to Chinese Cyber Operations
Technical analysis reveals code and infrastructure similarities between DEEPDATA and LightSpy, suggesting they were developed by the same organization. Chinese hackers targeting these tools may be created by a private enterprise developing hacking capabilities for government operators, similar to known Chinese companies like Chengdu 404 and I-Soon.
The malware specifically targets popular communication platforms including WhatsApp, Telegram, Signal, WeChat, LINE, QQ, Skype, Microsoft Outlook, and others.
Recommendations
Users of FortiClient for Windows should:
- Monitor for suspicious activity
- Implement additional security controls
- Watch for updates from Fortinet
- Consider alternative VPN solutions until a patch is available
The discovery of DEEPDATA highlights the ongoing evolution of sophisticated cyber espionage tools and the need for rapid security responses to protect users.