The Computer Emergency Response Team of Ukraine (CERT-UA) has recently identified a sophisticated cyber attack campaign orchestrated by the Russian state-sponsored group APT28, also known as UAC-0001. This campaign leverages the Signal messaging application to disseminate two newly identified malware strains: BEARDSHELL and COVENANT.
Introduction to APT28’s Recent Activities
APT28, a notorious cyber espionage group linked to Russia’s military intelligence, has a history of targeting governmental and military entities across Europe and the United States. Their latest campaign signifies an evolution in their tactics, utilizing encrypted communication platforms like Signal to deliver malicious payloads, thereby complicating detection and mitigation efforts.
Detailed Analysis of BEARDSHELL Malware
BEARDSHELL is a sophisticated backdoor malware written in C++. Its primary functionalities include:
– PowerShell Script Execution: The ability to download and execute PowerShell scripts, enabling the attackers to perform a wide range of malicious activities on the compromised system.
– Data Exfiltration: Uploading execution results and potentially sensitive data to remote servers via the Icedrive API, facilitating unauthorized data access and extraction.
CERT-UA first detected BEARDSHELL in March-April 2024 during an incident response involving a Windows computer. At that time, the initial infection vector remained unidentified. However, subsequent intelligence from cybersecurity firm ESET, received over a year later, revealed unauthorized access to a gov.ua email account, shedding light on the attack’s entry point.
COVENANT Framework: A Multi-Stage Attack Tool
COVENANT is a modular malware framework employed by APT28 to establish and maintain control over compromised systems. Its deployment involves a multi-stage process:
1. Initial Access via Signal Messenger: Attackers send messages through Signal containing a macro-laden Microsoft Word document titled Акт.doc.
2. Execution of Malicious Macros: Upon opening the document, embedded macros execute, dropping two files: a malicious DLL (ctec.dll) and a PNG image (windows.png).
3. Persistence Mechanism: The macro modifies Windows Registry settings to ensure the DLL executes whenever File Explorer (explorer.exe) is launched.
4. Shellcode Execution: The DLL loads shellcode from the PNG file, leading to the in-memory execution of the COVENANT framework.
5. Deployment of BEARDSHELL: COVENANT downloads additional payloads that ultimately deploy the BEARDSHELL backdoor on the infected host.
Exploitation of Webmail Vulnerabilities
In addition to the Signal-based attacks, APT28 has been exploiting vulnerabilities in webmail platforms such as Roundcube, Horde, MDaemon, and Zimbra to infiltrate Ukrainian government entities. These exploits involve:
– Cross-Site Scripting (XSS) Attacks: Utilizing XSS vulnerabilities to execute arbitrary JavaScript code within the context of the user’s browser session.
– Phishing Emails: Sending emails with content designed to lure recipients into clicking malicious links, leading to the execution of exploits for vulnerabilities like CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641.
– Data Exfiltration: Once exploited, the vulnerabilities allow attackers to exfiltrate sensitive information, including email contents, address books, and session cookies.
Mitigation Strategies and Recommendations
To counteract these sophisticated threats, CERT-UA recommends the following measures:
– Monitor Network Traffic: Vigilantly observe network activity associated with domains such as app.koofr[.]net and api.icedrive[.]net, which are linked to the malware’s command and control infrastructure.
– Update and Patch Systems: Ensure all software, especially webmail platforms, are updated to the latest versions to mitigate known vulnerabilities.
– User Education: Train personnel to recognize phishing attempts and the risks associated with opening unsolicited documents or clicking on unknown links.
– Implement Security Controls: Deploy advanced threat detection systems capable of identifying and blocking malicious activities associated with APT28’s tactics.
Conclusion
The recent activities of APT28 underscore the evolving landscape of cyber threats, where state-sponsored actors employ increasingly sophisticated methods to achieve their objectives. By leveraging encrypted communication platforms and exploiting software vulnerabilities, these groups pose significant challenges to cybersecurity defenses. Continuous vigilance, timely intelligence sharing, and proactive security measures are essential to mitigate the risks posed by such advanced persistent threats.
