Cyber Crime

APT28 Exploits Signal App to Deliver BEARDSHELL and COVENANT Malware

The420.in Staff
By The420.in Staff
3 Min Read

Ukraine’s cyber defense agency, CERT-UA, has exposed a fresh wave of cyberattacks orchestrated by Russian state-sponsored group APT28 (aka UAC-0001). The campaign leverages the Signal messaging app to distribute malware-laced documents, delivering two advanced payloads: BEARDSHELL and COVENANT.

Contents
Malware Delivered via Signal Chat MessagesCOVENANT and BEARDSHELL: Dual Threat ChainInitial Access Traced to Webmail ExploitsDomains and Indicators of Compromise

Malware Delivered via Signal Chat Messages

CERT-UA reports that attackers sent victims a Microsoft Word file titled “Акт.doc” through Signal. The file contained malicious macros that dropped, a malicious DLL (ctec.dll). and a PNG image (windows.png) containing encrypted shellcode, when executed, the malware modified Windows Registry keys to launch the DLL on reboot. This DLL then extracted and executed shellcode from the PNG file, deploying the memory-resident COVENANT framework, a known red-teaming tool.

FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders

COVENANT and BEARDSHELL: Dual Threat Chain

Once active, COVENANT downloaded further payloads that launched BEARDSHELL, a C++ backdoor. BEARDSHELL enables:

  • Execution of PowerShell scripts
  • Data exfiltration via the Icedrive API
  • Real-time command and control through stealthy communications

Investigations revealed BEARDSHELL operating alongside a screenshot utility called SLIMAGENT, first spotted in March-April 2024 on compromised Windows machines.

Initial Access Traced to Webmail Exploits

The breach was traced back to a compromised gov.ua email account, reportedly accessed via vulnerabilities in popular webmail clients. Slovak cybersecurity firm ESET had earlier flagged APT28’s use of XSS flaws in:

  • Roundcube (CVE-2020-35730, CVE-2020-12641)
  • Horde
  • MDaemon
  • Zimbra

Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services

APT28 crafted phishing emails disguised as news articles from nv.ua, which triggered JavaScript exploits to create email redirect rules, steal session cookies and contact lists and conduct SQL injection attacks. CERT-UA confirmed over 40 Ukrainian organizations were targeted with this phishing tactic.

Domains and Indicators of Compromise

CERT-UA advises organizations to monitor and block traffic linked to:

  • app.koofr[.]net
  • api.icedrive[.]net

These domains were used to manage the payload delivery and data exfiltration stages of the attack.

About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing

Stay Connected