Full Report
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new cyber attack campaign by the Russia-linked APT28 (aka UAC-0001) threat actors using Signal chat messages to deliver two new malware families dubbed BEARDSHELL and COVENANT. BEARDSHELL, per CERT-UA, is written in C++ and offers the ability to download and execute PowerShell scripts, as well as upload the results of the
Analysis Summary
# Threat Actor: APT28 (UAC-0001)
## Attribution & Identity
- **Attribution:** Russia-linked threat actor.
- **Aliases:** APT28, UAC-0001.
## Activity Summary
CERT-UA reported that APT28 is actively conducting a campaign using **Signal chat messages** as an initial access vector in Ukraine. This recent campaign involves delivering a macro-laced Microsoft Word document ("Акт.doc"). This campaign is linked to previous exploitation of XSS vulnerabilities in webmail software like Roundcube, Horde, MDaemon, and Zimbra used against Ukrainian government entities to exfiltrate data and redirect emails. Historical activity observed in March-April 2024 also involved the use of the screenshot-taking tool SLIMAGENT.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Using Signal chat messages to deliver a weaponized Microsoft Word document ("Акт.doc").
- **Execution:** The macro in the Word document drops a malicious DLL ("ctec.dll") and a PNG image ("windows.png").
- **Persistence/Execution:** The DLL loads shellcode from the PNG file, executing the COVENANT framework in memory. The macro also performs Windows Registry modifications to ensure the DLL launches upon the next execution of `explorer.exe`.
- **Payload Deployment:** COVENANT downloads intermediate payloads designed to launch the **BEARDSHELL** backdoor.
- **Data Exfiltration/C2:** BEARDSHELL can download and execute PowerShell scripts, uploading results to a remote server via the Icedrive API.
- **Related TTPs (from previous linked incidents):** Exploitation of XSS vulnerabilities (CVE-2020-35730, CVE-2021-44026, CVE-2020-12641) in webmail software (Roundcube, MDaemon, Zimbra) via phishing emails containing news article bait, leading to JavaScript execution. JavaScript functionality included creating mailbox rules to redirect emails and exfiltrating address books and session cookies via HTTP POST requests.
## Targeting
- **Sectors:** Government (implied by targeting "gov.ua" email accounts and state organizations).
- **Geography:** Ukraine.
- **Victims:** Ukrainian government entities (specifically mentioned observation related to a "gov.ua" email account).
## Tools & Infrastructure
- **Malware Families Used:**
- **BEARDSHELL:** C++ malware used as a backdoor.
- **COVENANT:** Memory-resident malware framework.
- **SLIMAGENT:** Screenshot-taking tool observed in previous related incidents.
- **Infrastructure/C2:**
- Domains associated with BEARDSHELL C2 communication: `app.koofr[.]net`, `api.icedrive[.]net` (Icedrive API).
## Implications
APT28 is demonstrating adaptability by leveraging encrypted consumer messaging platforms (Signal) for initial access, bypassing traditional email security gateways for delivery. Their use of multi-stage payloads, including C2 frameworks like COVENANT and custom backdoors like BEARDSHELL, indicates a focused, sophisticated operation against Ukrainian targets, likely aimed at establishing long-term persistent access for espionage or information gathering.
## Mitigations
- State organizations should monitor outbound network traffic directed towards the domains: `app.koofr[.]net` and `api.icedrive[.]net`.
- Enhance monitoring for suspicious processes loading DLLs or shellcode from unusual file types (like PNG images) or executing memory resident frameworks.
- Review established persistence mechanisms related to Windows Registry keys tied to `explorer.exe` execution.