#Fact Old image of Hindu Priest with Donald trump at White house goes viral as recent.

Executive Summary:

BrazenBamboo’s DEEPDATA malware represents a new wave of advanced cyber espionage tools, exploiting a zero-day vulnerability in Fortinet FortiClient to extract VPN credentials and sensitive data through fileless malware techniques and secure C2 communications. With its modular design, DEEPDATA targets browsers, messaging apps, and password stores, while leveraging reflective DLL injection and encrypted DNS to evade detection. Cross-platform compatibility with tools like DEEPPOST and LightSpy highlights a coordinated development effort, enhancing its espionage capabilities. To mitigate such threats, organizations must enforce network segmentation, deploy advanced monitoring tools, patch vulnerabilities promptly, and implement robust endpoint protection. Vendors are urged to adopt security-by-design practices and incentivize vulnerability reporting, as vigilance and proactive planning are critical to combating this sophisticated threat landscape.

Introduction

The increased use of zero-day vulnerabilities by more complex threat actors reinforces the importance of more developed countermeasures. One of the threat actors identified is BrazenBamboo uses a zero-day vulnerability in Fortinet FortiClient for Windows through the DEEPDATA advanced malware framework. This research explores technical details about DEEPDATA, the tricks used in its operations, and its other effects.

Technical Findings

1. Vulnerability Exploitation Mechanism

The vulnerability in Fortinet’s FortiClient lies in its failure to securely handle sensitive information in memory. DEEPDATA capitalises on this flaw via a specialised plugin, which:

• Accesses the VPN client’s process memory.
• Extracts unencrypted VPN credentials from memory, bypassing typical security protections.
• Transfers credentials to a remote C2 server via encrypted communication channels.

2. Modular Architecture

DEEPDATA exhibits a highly modular design, with its core components comprising:

• Loader Module (data.dll): Decrypts and executes other payloads.
• Orchestrator Module (frame.dll): Manages the execution of multiple plugins.
• FortiClient Plugin: Specifically designed to target Fortinet’s VPN client.

Each plugin operates independently, allowing flexibility in attack strategies depending on the target system.

3. Command-and-Control (C2) Communication

DEEPDATA establishes secure channels to its C2 infrastructure using WebSocket and HTTPS protocols, enabling stealthy exfiltration of harvested data. Technical analysis of network traffic revealed:

• Dynamic IP switching for C2 servers to evade detection.
• Use of Domain Fronting, hiding C2 communication within legitimate HTTPS traffic.
• Time-based communication intervals to minimise anomalies in network behavior.

4. Advanced Credential Harvesting Techniques

Beyond VPN credentials, DEEPDATA is capable of:

• Dumping password stores from popular browsers, such as Chrome, Firefox, and Edge.
• Extracting application-level credentials from messaging apps like WhatsApp, Telegram, and Skype.
• Intercepting credentials stored in local databases used by apps like KeePass and Microsoft Outlook.

5. Persistence Mechanisms

To maintain long-term access, DEEPDATA employs sophisticated persistence techniques:

• Registry-based persistence: Modifies Windows registry keys to reload itself upon system reboot.
• DLL Hijacking: Substitutes legitimate DLLs with malicious ones to execute during normal application operations.
• Scheduled Tasks and Services: Configures scheduled tasks to periodically execute the malware, ensuring continuous operation even if detected and partially removed.

Additional Tools in BrazenBamboo’s Arsenal

1. DEEPPOST

A complementary tool used for data exfiltration, DEEPPOST facilitates the transfer of sensitive files, including system logs, captured credentials, and recorded user activities, to remote endpoints.

2. LightSpy Variants

• The Windows variant includes a lightweight installer that downloads orchestrators and plugins, expanding espionage capabilities across platforms.
• Shellcode-based execution ensures that LightSpy’s payload operates entirely in memory, minimising artifacts on the disk.

3. Cross-Platform Overlaps

BrazenBamboo’s shared codebase across DEEPDATA, DEEPPOST, and LightSpy points to a centralised development effort, possibly linked to a Digital Quartermaster framework. This shared ecosystem enhances their ability to operate efficiently across macOS, iOS, and Windows systems.

Notable Attack Techniques

1. Memory Injection and Data Extraction

Using Reflective DLL Injection, DEEPDATA injects itself into legitimate processes, avoiding detection by traditional antivirus solutions.

• Memory Scraping: Captures credentials and sensitive information in real-time.
• Volatile Data Extraction: Extracts transient data that only exists in memory during specific application states.

2. Fileless Malware Techniques

DEEPDATA leverages fileless infection methods, where its payload operates exclusively in memory, leaving minimal traces on the system. This complicates post-incident forensic investigations.

3. Network Layer Evasion

By utilising encrypted DNS queries and certificate pinning, DEEPDATA ensures that network-level defenses like intrusion detection systems (IDS) and firewalls are ineffective in blocking its communications.

Recommendations

1. For Organisations

• Apply Network Segmentation: Isolate VPN servers from critical assets.
• Enhance Monitoring Tools: Deploy behavioral analysis tools that detect anomalous processes and memory scraping activities.
• Regularly Update and Patch Software: Although Fortinet has yet to patch this vulnerability, organisations must remain vigilant and apply fixes as soon as they are released.

2. For Security Teams

• Harden Endpoint Protections: Implement tools like Memory Integrity Protection to prevent unauthorised memory access.
• Use Network Sandboxing: Monitor and analyse outgoing network traffic for unusual behaviors.
• Threat Hunting: Proactively search for indicators of compromise (IOCs) such as unauthorised DLLs (data.dll, frame.dll) or C2 communications over non-standard intervals.

3. For Vendors

• Implement Security by Design: Adopt advanced memory protection mechanisms to prevent credential leakage.
• Bug Bounty Programs: Encourage researchers to report vulnerabilities, accelerating patch development.

Conclusion

DEEPDATA is a form of cyber espionage and represents the next generation of tools that are more advanced and tunned for stealth, modularity and persistence. While Brazen Bamboo is in the process of fine-tuning its strategies, the organisations and vendors have to be more careful and be ready to respond to these tricks. The continuous updating, the ability to detect the threats and a proper plan on how to deal with incidents are crucial in combating the attacks.

References:

1. https://thehackernews.com/2024/11/warning-deepdata-malware-exploiting.html‍
2. http://www.theregister.com/2024/11/19/china_brazenbamboo_fortinet_0day/

Introduction 

As digital platforms rapidly become repositories of information related to health, YouTube has emerged as a trusted source people look to for answers. To counter rampant health misinformation online, the platform launched YouTube Health, a program aiming to make “high-quality health information available to all” by collaborating with health experts and content creators. While this is an effort in the right direction, the program needs to be tailored to the specificities of the Indian context if it aims to transform healthcare communication in the long run.

The Indian Digital Health Context 

India’s growing internet penetration and lack of accessible healthcare infrastructure, especially in rural areas, facilitates a reliance on digital platforms for health information. However, these, especially social media, are rife with misinformation. Supplemented by varying literacy levels, access disparities, and lack of digital awareness, health misinformation can lead to serious negative health outcomes. The report ‘Health Misinformation Vectors in India’ by DataLEADS suggests a growing reluctance surrounding conventional medicine, with people looking for affordable and accessible natural remedies instead. Social media helps facilitate this shift. However, media-sharing platforms such as WhatsApp, YouTube, and Facebook host a large chunk of health misinformation. The report identifies that cancer, reproductive health, vaccines, and lifestyle diseases are four key areas susceptible to misinformation in India.

YouTube’s Efforts in Promoting Credible Health Content 

YouTube Health aims to provide evidence-based health information with “digestible, compelling, and emotionally supportive health videos,” from leading experts to everyone irrespective of who they are or where they live. So far, it executes this vision through:

• Content Curation: The platform has health source information panels and content shelves highlighting videos regarding 140+ medical conditions from authority sources like All India Institute of Medical Sciences (AIIMS), National Institute of Mental Health and Neurosciences (NIMHANS), Max Healthcare etc., whenever users search for health-related topics.
• Localization Strategies: The platform offers multilingual health content in regional languages such as Hindi, Tamil, Telugu, Marathi, Kannada, Malayalam, Punjabi, and Bengali, apart from English. This is to help health information reach viewers across most of the country. 
• Verification of professionals: Healthcare professionals and organisations can apply to YouTube’s health feature for their videos to be authenticated as an authority health source on the platform and for their videos to show up on the ‘Health Sources’ shelf.

Challenges 

• Limited Reach: India has a diverse linguistic ecosystem. While health information is made available in over 8 languages, the number is not enough to reach everyone in the country. Efforts to reach more people in vernacular languages need to be ramped up. Further, while there were around 50 billion views of health content on YouTube in 2023, it is difficult to measure the on-ground outcomes of those views.
• Lack of Digital Literacy: Misinformation on digital platforms cannot be entirely curtailed owing to the way algorithms are designed to enhance user engagement. However, uploading authoritative health information as a solution may not be enough, if users lack awareness about misinformation and the need to critically evaluate and trust only credible sources. In India, this critical awareness remains largely underdeveloped.

Conclusion 

Considering that India has over 450 million users, by far the highest number of users in any country in the world, the platform has recognized that it can play a transformative role in the country’s digital health ecosystem. To accomplish its mission “to combat the societal threat of medical misinformation,” YouTube will have to continue to take several proactive measures. There is scope for strengthening collaborations with Indian public health agencies and trusted public figures, national and regional,  to provide credible health information to all.  The approach will have to be tailored to India’s vast linguistic diversity, by encouraging capacity-building for vernacular creators to produce credible content. Finally, multiple stakeholders will need to come together to promote digital literacy through education campaigns about identifying trustworthy sources.

Sources 

• https://indianexpress.com/article/technology/tech-news-technology/youtube-health-dr-garth-graham-interview-9746673/ 
• https://economictimes.indiatimes.com/news/india/cancer-misinformation-extremely-prevalent-in-india-trust-in-science-medicine-crucial-report/articleshow/115931783.cms?from=mdr 
• https://health.youtube/our-mission/ 
• https://health.youtube/features-application/ 
• https://backlinko.com/youtube-users 

Executive Summary:

A misleading video of a child covered in ash allegedly circulating as the evidence for attacks against Hindu minorities in Bangladesh. However, the  investigation revealed that the video is actually from Gaza, Palestine, and was filmed following an Israeli airstrike in July 2024. The claim linking the video to Bangladesh is false and misleading.

Claims:

A viral video claims to show a child in Bangladesh covered in ash as evidence of attacks on Hindu minorities.

Fact Check:

Upon receiving the viral posts, we conducted a Google Lens search on keyframes of the video, which led us to a X post posted by Quds News Network. The report identified the video as footage from Gaza, Palestine, specifically capturing the aftermath of an Israeli airstrike on the Nuseirat refugee camp in July 2024.

The caption of the post reads, “Journalist Hani Mahmoud reports on the deadly Israeli attack yesterday which targeted a UN school in Nuseirat, killing at least 17 people who were sheltering inside and injuring many more.”

‍

To further verify, we examined the video footage where the watermark of Al Jazeera News media could be seen, We found the same post posted on the Instagram account on 14 July, 2024 where we confirmed that the child in the video had survived a massacre caused by the Israeli airstrike on a school shelter in Gaza. 

‍

Additionally, we found the same video uploaded to CBS News' YouTube channel, where it was clearly captioned as "Video captures aftermath of Israeli airstrike in Gaza",  further confirming its true origin.

‍

We found no credible reports or evidence were found linking this video to any incidents in Bangladesh. This clearly implies that the viral video was falsely attributed to Bangladesh. 

Conclusion:

The video circulating on social media which shows a child covered in ash as the evidence of attack against Hindu minorities is false and misleading. The investigation leads that the video originally originated from Gaza, Palestine and documents the aftermath of an Israeli air strike in July 2024.  

• Claims: A video shows a child in Bangladesh covered in ash as evidence of attacks on Hindu minorities.
• Claimed by: Facebook
• Fact Check: False & Misleading