In mid-2025, the Russian state-sponsored cyber espionage group APT28, also known as Fancy Bear, initiated a sophisticated spear-phishing campaign targeting various organizations. This operation involved the distribution of weaponized Microsoft Office documents designed to deploy two advanced malware payloads: BeardShell and Covenant’s HTTP Grunt Stager. These payloads utilize legitimate cloud services, IceDrive and Koofr, respectively, for command-and-control (C2) communications, complicating detection and mitigation efforts.
Distribution Methodology
APT28 disseminated malicious Office documents through private Signal messenger chats. By exploiting Signal’s lack of Mark-of-the-Web (MOTW) attributes, the attackers circumvented Microsoft Office’s security mechanisms that typically warn users about files from untrusted sources. The phishing messages were crafted to resemble internal legal or administrative communications, urging recipients to open the attached documents promptly.
Initial Infection Vector
Upon opening the malicious document, it automatically switches to Print Layout view and executes an embedded Visual Basic for Applications (VBA) macro. This macro performs several critical functions:
1. Environment Verification: The macro checks the system environment to ensure it is not running in a sandbox or virtual machine, which are commonly used for malware analysis.
2. Payload Deobfuscation: It deobfuscates the embedded payloads, preparing them for execution.
3. Persistence Mechanism: The macro establishes persistence by performing a Component Object Model (COM) hijack. It drops a dynamic-link library (DLL) file named `prnfldr.dll` and a seemingly benign PNG image file named `windows.png` onto the system. The DLL is registered under the CLSIDPrinters registry key, ensuring it is loaded by Explorer.exe during system startup. This method allows the malware to execute without requiring a system reboot.
Secondary Payload Execution
Once `prnfldr.dll` is loaded by Explorer.exe, it proxies legitimate print functions and initiates a secondary thread to extract an AES-encrypted shellcode from the least significant bits of each pixel in `windows.png`. This steganographic technique embeds the payload within the image file, making it less likely to be detected by traditional security tools.
Covenant’s HTTP Grunt Stager Deployment
After decrypting the shellcode, the malware initializes the Common Language Runtime (CLR) and loads the Covenant .NET assembly. Covenant is an open-source command-and-control framework commonly used by penetration testers and, increasingly, by threat actors. The HTTP Grunt Stager establishes an HTTP-based C2 channel with the Koofr cloud storage service. It creates directories named Keeping and Tansfering to upload reconnaissance data and download additional modules. Communications are secured using hybrid encryption, and command execution is orchestrated via Covenant Tasks. To minimize forensic artifacts, the implant uploads output files and deletes them after execution.
BeardShell Backdoor Deployment
In parallel, the BeardShell backdoor operates as an unmanaged C-based DLL. It initializes the CLR to load the System.Management.Automation assembly, exposing a JSON-based interface for executing PowerShell commands. Every four hours, BeardShell polls a directory on IceDrive, named using an FNV4 hash of host attributes, to upload system information and await operator-supplied JSON command files. These commands are decrypted and executed, with the output returned to the storage root. A typical command schema is as follows:
“`json
{taskid:0,cmdid:2,data:{id:0,cmd:ipconfig /all}}
“`
Implications and Countermeasures
APT28’s use of open-source frameworks like Covenant and legitimate cloud services such as Koofr and IceDrive for C2 communications represents a significant evolution in their tactics. By embedding steganographic payloads in image files and leveraging multiple cloud channels, the group effectively complicates detection and response efforts.
To mitigate such threats, organizations should implement the following measures:
1. Enhanced Steganography Detection: Deploy advanced security solutions capable of detecting steganographic techniques used to hide malicious payloads within seemingly benign files.
2. Cloud API Monitoring: Monitor and analyze cloud service API traffic for unusual patterns that may indicate malicious activity.
3. User Education: Train employees to recognize and report suspicious communications, especially those urging immediate action or containing unexpected attachments.
4. Macro Security Policies: Enforce strict policies regarding the execution of macros in Office documents, particularly those received from external sources.
5. Regular System Audits: Conduct regular audits of system registries and startup configurations to identify unauthorized changes that may indicate persistence mechanisms.
By adopting these strategies, organizations can enhance their resilience against sophisticated spear-phishing campaigns and the deployment of advanced malware payloads.
