The Ukrainian Computer Emergency Response Team (CERT-UA) has warned about a new cyberattack campaign by APT28 (aka UAC-0001) related to Russia, about threat actors using signal chat messages to provide two new malware families called Beardshell and Covenant.
BeardShell per CERT-UA is written in C++ and provides the ability to download and run PowerShell scripts, and uploads the results of the execution to a remote server on the ICEDRIVE API.
The agency said it first observed Beardshell, along with a screenshot taker named Slimagent, as part of its March-April incident response efforts on Windows computers.
At that time, there was no details about how the infection occurred, but the agency said it received threat information from ESET more than a year later that evidence of unauthorized access to its “Gov.ua” email account had been detected.
The exact nature of the information shared has not been revealed, but it may be related to a report from Slovak Cybersecurity Company last month about the exploitation of APT28 of various webmail software cross-site scripting (XSS) vulnerability to RoundCube, Horde, Mdaemon and Zimbra.
This discovery was triggered as a result of the discovery of important evidence, including the initial access vector used in the 2024 attack, the existence of Beard Shell, and the malware framework called Contracts.
Specifically, it has been revealed that threat actors are sending messages over the signal to deliver the Macro Race Microsoft Word Document (“aop.doc”).
The embedded macro also makes changes to the Windows registry so that the DLL will be launched the next time the file Explorer (“Explorer.exe”) is launched. The main task of the DLL is to load shellcode from a PNG file, which runs the Memory Resident Covenant Framework.
The Covenant then downloads two intermediate payloads designed to launch a Beardshell backdoor to the compromised host.
It is recommended to be aware of domain-related network traffic to mitigate potential risks associated with threats.[.]net “and” api.icedrive[.]net. “
It occurs when CERT-UA reveals targeting APT28 for outdated round cube webmail instances in Ukraine and provides exploits for CVE-2020-35730, CVE-2021-44026, and CVE-2020-2641.
The email stated that “content bait in the form of articles in the publication “NV” (NV.UA) and exploits of the RoundCube XSS vulnerability CVE-2020-35730 and corresponding JavaScript code designed to download and run additional JavaScript files: ‘Q.JS’ and ‘e.js’ ect-ua.
In addition to excluding victim address books and session cookies via HTTP posting requests, “E.JS” ensures that you create mailbox rules to redirect incoming emails to third-party email addresses. Meanwhile, “Q.JS” features an exploit of SQL injection defects in RoundCube (CVE-2021-44026) that is used to collect information from the RoundCube database.
CERT-UA also found a third JavaScript file named “C.JS” containing the exploit of the third round cube defect (CVE-2020-12641) to run any command on the mail server. Overall, similar phishing emails have been sent to email addresses of more than 40 Ukrainian organizations.
Source link
