The Pc Emergency Response Workforce of Ukraine (CERT-UA) has warned of a brand new cyber assault marketing campaign by the Russia-linked APT28 (aka UAC-0001) risk actors utilizing Sign chat messages to ship two beforehand undocumented malware households dubbedd BEARDSHELL and COVENANT.
BEARDSHELL, per CERT-UA, is written in C++ and presents the power to obtain and execute PowerShell scripts, in addition to add the outcomes of the execution again to a distant server over the Icedrive API.
The company mentioned it first noticed BEARDSHELL, alongside a screenshot-taking device named SLIMAGENT, as a part of incident response efforts in March-April 2024 in a Home windows pc.
Whereas there have been no particulars accessible on how the an infection happened at the moment, the company mentioned it obtained risk intelligence from ESET greater than a yr later that detected proof of unauthorized entry to a “gov.ua” electronic mail account.
The precise nature of the knowledge shared was not disclosed, however it doubtless pertains to a report from the Slovak cybersecurity firm final month that detailed APT28’s exploitation of cross-site scripting (XSS) vulnerabilities in numerous webmail software program similar to Roundcube, Horde, MDaemon, and Zimbra to breach Ukrainian authorities entities.
Additional investigation triggered because of this discovery unearthed essential proof, together with the preliminary entry vector used within the 2024 assault, in addition to the presence of BEARDSHELL and a malware framework dubbed COVENANT.
Particularly, it has come to mild that the risk actors are sending messages on Sign to ship a macro-laced Microsoft Phrase doc (“Акт.doc”), which, when launched, drops two payloads: A malicious DLL (“ctec.dll”) and a PNG picture (“home windows.png”).
The embedded macro additionally makes Home windows Registry modifications to make sure that the DLL is loaded when Home windows File Explorer (“explorer.exe”) is launched the following time. The first process of the DLL is to load shellcode from the PNG file, ensuing within the execution of the memory-resident COVENANT framework.
COVENANT subsequently downloads two extra intermediate payloads which are designed to launch the BEARDSHELL backdoor on the compromised host.
To mitigate potential dangers related to the risk, state organizations are really useful to regulate community site visitors related to the domains “app.koofr[.]internet” and “api.icedrive[.]internet.”
The disclosure comes as CERT-UA revealed APT28’s focusing on of outdated Roundcube webmail situations in Ukraine to ship exploits for CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641 through phishing emails that ostensibly comprise textual content about information occasions however weaponize these flaws to execute arbitrary JavaScript.
The e-mail “contained a content material bait within the type of an article from the publication ‘NV’ (nv.ua), in addition to an exploit for the Roundcube XSS vulnerability CVE-2020-35730 and the corresponding JavaScript code designed to obtain and run extra JavaScript information: ‘q.js’ and ‘e.js,'” CERT-UA mentioned.
“E.js” ensures the creation of a mailbox rule for redirecting incoming emails to a third-party electronic mail deal with, along with exfiltrating the sufferer’s deal with e-book and session cookies through HTTP POST requests. Then again, “q.js” options an exploit for an SQL injection flaw in Roundcube (CVE-2021-44026) that is used to collect info from the Roundcube database.
CERT-UA mentioned it additionally found a 3rd JavaScript file named “c.js” that features an exploit for a 3rd Roundcube flaw (CVE-2020-12641) to execute arbitrary instructions on the mail server. In all, related phishing emails have been despatched to the e-mail addresses of greater than 40 Ukrainian organizations.
