BEARDSHELL Malware
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about a fresh cyber attack campaign orchestrated by APT28, a threat group linked to Russia and also known as UAC-0001. This operation employs Signal chat messages to deliver two newly identified malware families, tracked as BEARDSHELL and COVENANT, marking a notable evolution in the group's tactics.
Table of Contents
BEARDSHELL and SLIMAGENT: A Dangerous Duo
BEARDSHELL, developed in C++, was first detected between March and April 2024, deployed on a Windows system alongside a screenshot-capturing tool named SLIMAGENT. BEARDSHELL's capabilities include executing PowerShell scripts and uploading the resulting output to a remote server using the Icedrive API.
At the time of the initial detection, CERT-UA lacked clarity on how the malware infiltrated the system. However, recent findings, sparked by unauthorized access to a 'gov.ua' email account, have revealed the initial attack vector used in the 2024 incident. This deeper investigation confirmed the deployment of both BEARDSHELL and a malware framework known as COVENANT.
Infection Chain: Macro-Laced Documents and DLL Payloads
The attack begins with a Signal message containing a malicious Microsoft Word document titled 'Акт.doc.' This document includes an embedded macro that, once activated, delivers two components:
- A malicious DLL: ctec.dll
- A disguised PNG image: windows.png
The macro then makes changes to the Windows Registry to ensure the DLL runs when explorer.exe is next launched. This DLL reads shellcode hidden in the PNG image and triggers the COVENANT malware framework, which resides in memory.
Following activation, COVENANT proceeds to download and execute two intermediate payloads that ultimately install the BEARDSHELL backdoor, granting persistent control over the infected system.
COVENANT: Sophisticated Malware Framework in Action
The COVENANT framework plays a central role in this operation, acting as the execution hub for additional malware. Its modular design allows for the flexible deployment of payloads, in this case leading directly to the execution of BEARDSHELL. This memory-resident framework evades traditional detection mechanisms, making it particularly dangerous for targeted environments.
Monitoring and Mitigation Recommendations
To reduce exposure to this campaign, CERT-UA advises government and enterprise networks to monitor traffic associated with the following domains:
- app.koofr.net
- api.icedrive.net
Being vigilant about outbound connections to these domains could help detect early signs of compromise.
Conclusion: Persistent and Evolving Threats
APT28 continues to refine its attack techniques, incorporating modern messaging platforms like Signal and combining them with legacy system vulnerabilities. This dual-pronged approach, using both newly developed malware and known exploits, underscores the group's persistence and the importance of layered cybersecurity defenses. Organizations, especially government agencies, must stay alert and proactively monitor network traffic for indicators of compromise.
