The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning regarding a new cyber attack campaign linked to the Russian threat group known as APT28, also referred to as UAC-0001. This sophisticated operation utilizes Signal chat messages to disseminate two malware families, identified as BEARDSHELL and COVENANT, which represent a significant escalation in cyber threats against Ukrainian government entities.
According to CERT-UA, BEARDSHELL is a C++-written malware that grants threat actors the capacity to download and execute PowerShell scripts while relaying execution results back to a remote server via the Icedrive API. The initial discovery of BEARDSHELL coincided with the observation of a screenshot-capturing tool named SLIMAGENT in early 2024 on a Windows system as part of incident response investigations.
Further analysis revealed that APT28 had accessed a government email account, raising red flags regarding data security. While specifics on the information accessed remain undisclosed, it suggests an ongoing pattern of exploiting vulnerabilities, including XSS attacks against Ukrainian governmental webmail software. Reports from ESET earlier indicated how APT28 had targeted such vulnerabilities to infiltrate various platforms.
The unfolding investigation highlighted the use of Signal for delivering a malicious Microsoft Word document laden with macros. Once executed, the document downloads a rogue Dynamic-Link Library and another disguised file, facilitating the installation of the BEARDSHELL backdoor on compromised machines. To mitigate potential risks, state organizations have been advised to monitor network traffic linked to Icedrive’s domains.
This alarming development underscores the increasing sophistication of cyberattacks developed by APT28, suggesting a targeted focus on exploiting both technology and human factors within Ukrainian cyber infrastructure. CERT-UA encourages vigilance among state entities, reinforcing the need for robust cybersecurity measures and awareness to counteract these elevated threats.