BleepingComputer reports that attacks exploiting Signal chats to deploy novel BeardShell and SlimAgent payloads have been launched by Russian state-sponsored hacking group APT28, also known as UAC-001, against Ukrainian government targets.
Malicious messages sent by APT28 via the Signal messenger app distributed a nefarious document loading the Covenant memory-resident backdoor that prompted the execution of the C++-based BeardShell malware, with both loader and primary malware harnessing Windows registry COM-hijacking to facilitate persistence, according to Ukraine's Computer and Emergency Response Team. After downloading, decrypting, and executing PowerShell scripts, BeardShell transfers stolen data to a command-and-control server underpinned by Icedrive API. On the other hand, earlier attacks by APT28 involved the SlimAgent tool that leveraged various Windows API functions to facilitate screenshot capturing and exfiltration to its attack server. Such a report from the CERT-UA comes amid the reported exploitation of Signal in spear-phishing attacks and Dark Crystal RAT malware intrusions against Ukrainian targets.
Malicious messages sent by APT28 via the Signal messenger app distributed a nefarious document loading the Covenant memory-resident backdoor that prompted the execution of the C++-based BeardShell malware, with both loader and primary malware harnessing Windows registry COM-hijacking to facilitate persistence, according to Ukraine's Computer and Emergency Response Team. After downloading, decrypting, and executing PowerShell scripts, BeardShell transfers stolen data to a command-and-control server underpinned by Icedrive API. On the other hand, earlier attacks by APT28 involved the SlimAgent tool that leveraged various Windows API functions to facilitate screenshot capturing and exfiltration to its attack server. Such a report from the CERT-UA comes amid the reported exploitation of Signal in spear-phishing attacks and Dark Crystal RAT malware intrusions against Ukrainian targets.
