Ethical Hacking News
APT28's use of Signal Chat for malware deployment has raised concerns about the evolving nature of cyber attacks in Ukraine. The BEARDSHELL and COVENANT malware pose a significant threat to state organizations, highlighting the importance of vigilance and adaptability in cybersecurity.
The Ukraine-linked threat actor group, APT28 (UAC-0001), has been utilizing Signal Chat to deploy two novel malware families: BEARDSHELL and COVENANT. BEARDSHELL and COVENANT malware were discovered in March-April 2024, with BEARDSHELL being the first reported during an incident response effort on Windows computers. APT28 exploited cross-site scripting (XSS) vulnerabilities in webmail software to breach Ukrainian government entities. The malware campaign uses a macro-laced Microsoft Word document to deliver payloads via Signal Chat, which execute the COVENANT framework and launch the BEARDSHELL backdoor. State organizations are advised to monitor network traffic associated with specific domains to mitigate potential risks from this threat.
The recent warnings issued by the Computer Emergency Response Team of Ukraine (CERT-UA) have shed light on a new and sophisticated cyber attack campaign waged by the Russia-linked threat actor group, APT28 (also known as UAC-0001). According to CERT-UA, APT28 has been utilizing the popular messaging platform, Signal Chat, to deploy two novel malware families: BEARDSHELL and COVENANT. This article aims to provide an in-depth examination of the BEARDSHELL and COVENANT malware, their characteristics, and the implications for Ukrainian cybersecurity.
The discovery of the BEARDSHELL malware was first reported by CERT-UA during incident response efforts in March-April 2024, as part of a Windows computer infection. At that time, there were limited details available regarding the mode of infection; however, subsequent threat intelligence from ESET revealed evidence of unauthorized access to a "gov.ua" email account. The exact nature of this information was not disclosed by CERT-UA, but it is likely related to a report from Slovak cybersecurity company ESET last month that detailed APT28's exploitation of cross-site scripting (XSS) vulnerabilities in various webmail software such as Roundcube, Horde, MDaemon, and Zimbra to breach Ukrainian government entities.
Further investigation triggered by the discovery of these vulnerabilities unearthed crucial evidence, including the initial access vector used in the 2024 attack, as well as the presence of BEARDSHELL and a malware framework dubbed COVENANT. The threat actors were found to be sending messages on Signal Chat to deliver a macro-laced Microsoft Word document ("Акт.doc"), which, when launched, drops two payloads: A malicious DLL ("ctec.dll") and a PNG image ("windows.png").
The embedded macro makes Windows Registry modifications to ensure that the DLL is launched when the File Explorer ("explorer.exe") is launched the next time. The primary task of the DLL is to load the shellcode from the PNG file, resulting in the execution of the memory-resident COVENANT framework. COVENANT subsequently downloads two more intermediate payloads designed to launch the BEARDSHELL backdoor on the compromised host.
To mitigate potential risks associated with this threat, state organizations are recommended to keep an eye on network traffic associated with the domains "app.koofr[.]net" and "api.icedrive[.]net." This measure is essential given the APT28 group's history of targeting outdated webmail instances in Ukraine to deliver exploits for CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641 via phishing emails that ostensibly contain text about news events but weaponize these flaws to execute arbitrary JavaScript.
The discovery of this new malware campaign underscores the evolving tactics, techniques, and procedures (TTPs) employed by APT28. The use of Signal Chat for malware delivery is a significant development, as it highlights the group's adaptability in leveraging popular communication platforms to spread their malicious payloads.
In conclusion, the BEARDSHELL and COVENANT malware families pose a considerable threat to Ukrainian cybersecurity, emphasizing the importance of vigilance among state organizations and private entities alike. As APT28 continues to evolve its TTPs, it is essential that cybersecurity professionals stay abreast of emerging threats and develop strategies to mitigate their impact.
Related Information:
https://www.ethicalhackingnews.com/articles/APT28s-Signal-Chat-Malware-Campaign-A-Looming-Threat-to-Ukrainian-Cybersecurity-ehn.shtml
https://thehackernews.com/2025/06/apt28-uses-signal-chat-to-deploy.html
Published: Tue Jun 24 07:33:49 2025 by llama3.2 3B Q4_K_M
