The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new cyber attack campaign by the Russia-linked APT28 (aka UAC-0001) threat actors using Signal chat messages to deliver two new malware families dubbed BEARDSHELL and COVENANT.
BEARDSHELL, per CERT-UA, is written in C++ and offers the ability to download and execute PowerShell scripts, as well as upload the results of the execution back to a remote server over the Icedrive API.
The agency said it first observed BEARDSHELL, alongside a screenshot-taking tool named SLIMAGENT, as part of incident response efforts in March-April 2024 in a Windows computer.
While at that time, there were no details available on how the infection took place, the agency said it received threat intelligence from ESET more than a year later that detected evidence of unauthorized access to a “gov.ua” email account.
The exact nature of the information shared was not disclosed, but it likely pertains to a report from the Slovak cybersecurity company last month that detailed APT28’s exploitation of cross-site scripting (XSS) vulnerabilities in various webmail software such as Roundcube, Horde, MDaemon, and Zimbra to breach Ukrainian government entities.
Further investigation triggered as a result of this discovery unearthed crucial evidence, including the initial access vector used in the 2024 attack, as well as the presence of BEARDSHELL and a malware framework dubbed COVENANT.
Specifically, it has come to light that the threat actors are sending messages on Signal to deliver a macro-laced Microsoft Word document (“Акт.doc”), which, when launched, drops two payloads: A malicious DLL (“ctec.dll”) and a PNG image (“windows.png”).
The embedded macro also makes Windows Registry modifications to ensure that the DLL is launched when the File Explorer (“explorer.exe”) is launched the next time. The primary task of the DLL is to load the shellcode from the PNG file, resulting in the execution of the memory-resident COVENANT framework.
COVENANT subsequently downloads two more intermediate payloads that are designed to launch the BEARDSHELL backdoor on the compromised host.
To mitigate potential risks associated with the threat, state organizations are recommended to keep an eye on network traffic associated with the domains “app.koofr[.]net” and “api.icedrive[.]net.”
The disclosure comes as CERT-UA revealed APT28’s targeting of outdated Roundcube webmail instances in Ukraine to deliver exploits for CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641 via phishing emails that ostensibly contain text about news events but weaponize these flaws to execute arbitrary JavaScript.
The email “contained a content bait in the form of an article from the publication ‘NV’ (nv.ua), as well as an exploit for the Roundcube XSS vulnerability CVE-2020-35730 and the corresponding JavaScript code designed to download and run additional JavaScript files: ‘q.js’ and ‘e.js,'” CERT-UA said.
“E.js” ensures the creation of a mailbox rule for redirecting incoming emails to a third-party email address, in addition to exfiltrating the victim’s address book and session cookies via HTTP POST requests. On the other hand, “q.js” features an exploit for an SQL injection flaw in Roundcube (CVE-2021-44026) that’s used to gather information from the Roundcube database.
CERT-UA said it also discovered a third JavaScript file named “c.js” that includes an exploit for a third Roundcube flaw (CVE-2020-12641) to execute arbitrary commands on the mail server. In all, similar phishing emails were sent to the email addresses of more than 40 Ukrainian organizations.
