Jun 24, 2025Ravie LakshmananMalware / Menace Intelligence
The Laptop Emergency Response Staff of Ukraine (CERT-UA) has warned of a brand new cyber assault marketing campaign by the Russia-linked APT28 (aka UAC-0001) risk actors utilizing Sign chat messages to ship two new malware households dubbed BEARDSHELL and COVENANT.
BEARDSHELL, per CERT-UA, is written in C++ and gives the power to obtain and execute PowerShell scripts, in addition to add the outcomes of the execution again to a distant server over the Icedrive API.
The company stated it first noticed BEARDSHELL, alongside a screenshot-taking device named SLIMAGENT, as a part of incident response efforts in March-April 2024 in a Home windows laptop.
Whereas at the moment, there have been no particulars obtainable on how the an infection occurred, the company stated it obtained risk intelligence from ESET greater than a yr later that detected proof of unauthorized entry to a “gov.ua” e mail account.
The precise nature of the knowledge shared was not disclosed, nevertheless it probably pertains to a report from the Slovak cybersecurity firm final month that detailed APT28’s exploitation of cross-site scripting (XSS) vulnerabilities in numerous webmail software program akin to Roundcube, Horde, MDaemon, and Zimbra to breach Ukrainian authorities entities.
Additional investigation triggered on account of this discovery unearthed essential proof, together with the preliminary entry vector used within the 2024 assault, in addition to the presence of BEARDSHELL and a malware framework dubbed COVENANT.
Particularly, it has come to gentle that the risk actors are sending messages on Sign to ship a macro-laced Microsoft Phrase doc (“Акт.doc”), which, when launched, drops two payloads: A malicious DLL (“ctec.dll”) and a PNG picture (“home windows.png”).
The embedded macro additionally makes Home windows Registry modifications to make sure that the DLL is launched when the File Explorer (“explorer.exe”) is launched the following time. The first process of the DLL is to load the shellcode from the PNG file, ensuing within the execution of the memory-resident COVENANT framework.
COVENANT subsequently downloads two extra intermediate payloads which might be designed to launch the BEARDSHELL backdoor on the compromised host.
To mitigate potential dangers related to the risk, state organizations are advisable to control community site visitors related to the domains “app.koofr[.]internet” and “api.icedrive[.]internet.”
The disclosure comes as CERT-UA revealed APT28’s concentrating on of outdated Roundcube webmail situations in Ukraine to ship exploits for CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641 by way of phishing emails that ostensibly include textual content about information occasions however weaponize these flaws to execute arbitrary JavaScript.
The e-mail “contained a content material bait within the type of an article from the publication ‘NV’ (nv.ua), in addition to an exploit for the Roundcube XSS vulnerability CVE-2020-35730 and the corresponding JavaScript code designed to obtain and run further JavaScript recordsdata: ‘q.js’ and ‘e.js,'” CERT-UA stated.
“E.js” ensures the creation of a mailbox rule for redirecting incoming emails to a third-party e mail deal with, along with exfiltrating the sufferer’s deal with ebook and session cookies by way of HTTP POST requests. Then again, “q.js” options an exploit for an SQL injection flaw in Roundcube (CVE-2021-44026) that is used to collect data from the Roundcube database.
CERT-UA stated it additionally found a 3rd JavaScript file named “c.js” that features an exploit for a 3rd Roundcube flaw (CVE-2020-12641) to execute arbitrary instructions on the mail server. In all, related phishing emails have been despatched to the e-mail addresses of greater than 40 Ukrainian organizations.
Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.
