The emergency response team in Ukraine (CERT-UA) has prevent A new cyberattack company in Russia, associated with Russia, APT28 (AKA UAC -0001), using signal messages for the delivery of two new families malware called Beardhell and Covenant.
BeardShell, for the Cert-Ua, written in C ++ and offers the ability to download and execute PowerShell scripts, and download the performance results on a remote server via ICedrive API.
The agency said Beardhell first watched, as well as a screenshot tool called Slimagent, as part of the incident’s response efforts in March 2024 in the Windows Computer.
At the time, at the time, there were no details about how the infection had occurred, the agency stated that it had received more than a year, which had threatened with ESET, which revealed evidence of unauthorized access to the account email “gov.ua”.
The exact nature of the general information was not disclosed but probably minute Exploitation of APT28 vulnerability on script vulnerabilities (XSS) in various programs such as RoundCube, Horde, MDAEMON and Zimbra to break Ukrainian government structures.
Further investigation was caused by this discovery revealed important evidence, including the initial access vector used in the 2024 attack, as well as the presence of a beard and malicious software called “Testament”.
In particular, it turned out that the threat subjects are sending messages to the signal to deliver the macro-powered Microsoft Word document (“Act.doc”), which at the launch provides two useful loads: malicious dll (“Ctec.dll”) and PNG (“Windows.png”).
Built -in macro also introduces the Windows registry modification to make sure that Dll will be launched when the Dll Explorer (“Explorer.exe”) is started next time. The main task of DLL is to download Shellcode from the PNG file, which has led to the execution of the covenant that the memory resident.
After that, the covenant loads two more intermediate use loads designed to launch the beardhell backdoor on a compromised host.
In order to mitigate the potential risks associated with the threat, state organizations are advised to monitor the network traffic related to the “App.koofr (.) Net” and “Api.icedrive (.) Net”.
Discovering information occurs as Cert-Ua disclosed Earning for APT28 Effective A specimens of Webmail RoundCube in Ukraine to provide feats for CVE-2020-35730, CVE-2011-44026 and CVE-2020-12641 using phishing sheets that allegedly contain the text of news events, but arms these shortcomings for the execution of the arbitrary Javasript.
E-mail “contained a lure contents in the form of an article from the NV.ua Publishing, as well as a feat for the RoundCube XSS Cve-2020-35730 vulnerability and Javascript correspondent designed to download and launch additional Javascript files: ‘q.js’ and ‘E.jss’.
“E.JS” provides the creation of the mailbox rules to redirect the entrance emails to another email address, in addition to the target book exports and session sessions of the victim through HTTP requests. On the other hand, “Q.JS” has a feat for shortage of SQL in RoundCube (Cve-2021-44026), which is used to collect information from the RoundCube database.
Cert-Ua said he also discovered a third JavaScript file called “C.js”, which includes operation for the lack of a third round (Cve-2020-12641) to perform arbitrary commands on the postal server. In general, similar phishing emails were sent to the email address of more than 40 Ukrainian organizations.
