Cloud Security, Threat Intelligence, Malware, Exposure management

Fancy Bear attacks abuse Office macros, legitimate cloud services

APT28, also known as Fancy Bear, has been observed using malicious Microsoft Office documents to gain backdoor access in a new, sophisticated attack chain, Sekoia.io revealed in a report published Tuesday.  

The attacks, dubbed “Operation Phantom Net Voxel” by Sekoia.io, ultimately deployed HTTP Grunts, part of the open-source Covenant post exploitation framework, and the BeardShell C++ backdoor. The threat actor abused two legitimate cloud services — Koofr and icedrive — to facilitate command-and-control (C2) communications.

Spearphishing messages sent via Signal, targeting Ukrainian military officials, delivered the malware-laced documents, which were designed to appear unreadable unless macros were enabled. Macros are normally disabled by default by Microsoft due to the risks of running untrusted macros.

Once enabled and run, the documents’ Visual Basic for Applications (VBA) macros dropped two files: a dynamic link library (DLL), prnfldr.dll, and a PNG image, windows.png. COM hijacking was performed to establish persistence for prnfldr.dll.

The malicious DLL extracts and decrypts the next-stage shellcode embedded in the windows.png image, which appears to be a normal Windows wallpaper. The researchers noted that for one of the documents analyzed, the image used was a photograph of a koala, koala.png.

The extracted shellcode loads another file, a portable executable (PE) containing the HTTP Grunt Stager, which allows the attacker to establish a Grunt agent for C2 communications via the Covenant framework.

APT28 uses Covenant’s C2Bridge module to proxy C2 traffic through the legitimate cloud service Koofr via its API. Through Koofr account details hardcoded within the HTTP Grunt Stager, the Grunt agent accesses directories in the attacker’s cloud storage, namely two folders named “Keeping” and “Tansfering.”

Files uploaded to “Tansfering,” which serve as Covenant “Tasks,” are downloaded and run on the victim machine, while outputs of tasks, such as screenshots of the victim’s computer, are uploaded by the agent to the “Keeping” folder.

The researchers found that the BeardShell backdoor, which retrieves and executes PowerShell commands, was installed as part of this post exploitation process. The attackers abused a different legitimate cloud service, icedrive, to serve as the C2 channel through which BeardShell receives and communicates the output of its commands.

Although not directly observed as part of Operation Phantom Net Voxel, the SlimAgent spyware was found along with BeardShell on an APT28-controlled C2 server previously investigated by Ukraine’s Computer Emergency Response Team (CERT-UA). Potentially used in other Fancy Bear campaigns, SlimAgent enables keylogging, mouse movement tracking and periodic screenshots.

Sekoia.io’s investigation of APT28’s Koofr accounts identified 42 unique partial GUIDs, potentially corresponding to 42 infected hosts dating back to December 2024. However, the researchers noted that some of the GUIDs may come from analyst sandboxes.

The researchers concluded that the Operation Phantom Net Voxel attack chain is technically more advanced that previously observed APT28 campaigns, and that the threat actor is likely to continue utilizing these methods in future attacks.

“APT28 now wields a hardened toolset that blends open source components and legitimate cloud infrastructure to evade detection and maintain long term access,” the researchers wrote.

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds