Ethical Hacking News
Russia-linked APT group APT28 has been found to target Ukrainian government officials through the use of Signal chats, employing two new types of malware strains in a sophisticated phishing campaign. According to recent reports, these malicious actors are utilizing legitimate cloud services to avoid detection and exploit vulnerabilities in official communications. The attack highlights the evolving tactics used by nation-state actors to evade detection and underscores the need for continued vigilance in cybersecurity efforts.
APT28, a Russia-linked APT group, targets Ukrainian government officials using Signal chats. APT28 uses new malware strains, BeardShell and SlimAgent, linked to the COVENANT framework. The attack vector involves phishing attempts with malicious documents containing macros. The malware launches COVENANT malware into memory through shellcode in a PNG file. Persistence is maintained through COM hijacks and scheduled tasks. CERT-UA report highlights IoC indicators, including monitoring network traffic to specific domains. The attack vector demonstrates evolving tactics used by nation-state actors to evade detection. Necessary precautions include monitoring network traffic and detecting suspicious activity.
Russia-linked Advanced Persistent Threat (APT) group APT28 has been identified as engaging in nefarious activities, specifically targeting Ukrainian government officials through the use of Signal chats. According to recent reports, these malicious actors are employing two new types of malware strains, designated as BeardShell and SlimAgent, which have been linked to the COVENANT framework.
The attack vector utilized by APT28 involves exploiting the growing popularity of Signal chats among official communications to make phishing attempts more convincing. While Signal itself remains secure, attackers are leveraging its widespread adoption to deliver malicious documents that contain macros. These macros then proceed to create two files, ctec.dll and windows.png, which in turn add a registry key for COM hijacking, ensuring the DLL will run via explorer.exe.
The malware created by APT28 is designed to launch the COVENANT malware directly into memory through shellcode decrypted from the PNG file. This is followed by the loading of another DLL and a WAV file containing shellcode, which activates the BEARDSHELL backdoor. Persistence is maintained through yet another COM hijack and scheduled task.
The CERT-UA report highlights indicators of compromise (IoC) for this threat, including monitoring network traffic to app.koofr.net and api.icedrive.net. The report also underscores the importance of detecting unauthorized access to email accounts in official domains.
Furthermore, the attack vector employed by APT28 serves as a testament to the evolving tactics used by nation-state actors to evade detection and exploit legitimate cloud services for covert communication. This serves as a stark reminder of the need for continued vigilance in cybersecurity efforts to counter such malicious activities.
In light of this recent incident, it is imperative that officials and organizations familiar with APT28 take necessary precautions to prevent similar attacks. Monitoring network traffic and keeping an eye out for suspicious activity will be crucial in identifying potential threats and mitigating their impact.
Related Information:
https://www.ethicalhackingnews.com/articles/Russia-Linked-APT28-Utilizes-Signal-Chats-as-a-Vector-for-Malicious-Activities-Targeting-Ukrainian-Officials-ehn.shtml
https://securityaffairs.com/179288/apt/russia-linked-apt28-use-signal-chats-to-target-ukraine-official-with-malware.html
Published: Tue Jun 24 14:13:32 2025 by llama3.2 3B Q4_K_M
