Threat Actors Use BEARDSHELL Backdoor and COVENANT Framework to Compromise Government Entities and Steal Sensitive Information

A new wave of cyber attacks has been unleashed on Ukraine by Russia-linked hackers, using Signal chat messages and webmail vulnerabilities to deliver malware and steal sensitive information. The attacks, attributed to the APT28 group, have been detected by the Computer Emergency Response Team of Ukraine (CERT-UA) and involve the use of two new malware families: BEARDSHELL and COVENANT.

According to CERT-UA, BEARDSHELL is a C++-based backdoor that allows hackers to download and execute PowerShell scripts, as well as upload the results of the execution back to a remote server over the Icedrive API. The agency first observed BEARDSHELL in March-April 2024, as part of incident response efforts in a Windows computer, but at the time, there were no details available on how the infection took place.

However, further investigation triggered by threat intelligence from ESET revealed that the threat actors exploited cross-site scripting (XSS) vulnerabilities in various webmail software, including Roundcube, Horde, MDaemon, and Zimbra, to breach Ukrainian government entities. Specifically, the hackers sent messages on Signal to deliver a macro-laced Microsoft Word document, which, when launched, dropped two payloads: a malicious DLL and a PNG image.

The embedded macro also made Windows Registry modifications to ensure that the DLL was launched when the File Explorer was launched the next time. The primary task of the DLL was to load the shellcode from the PNG file, resulting in the execution of the memory-resident COVENANT framework. COVENANT subsequently downloaded two more intermediate payloads that were designed to launch the BEARDSHELL backdoor on the compromised host.

To mitigate potential risks associated with the threat, state organizations are recommended to keep an eye on network traffic associated with the domains “app.koofr[.]net” and “api.icedrive[.]net.” The disclosure comes as CERT-UA revealed APT28’s targeting of outdated Roundcube webmail instances in Ukraine to deliver exploits for CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641 via phishing emails that ostensibly contained text about news events but weaponized these flaws to execute arbitrary JavaScript.

The email “contained a content bait in the form of an article from the publication ‘NV’ (nv.ua), as well as an exploit for the Roundcube XSS vulnerability CVE-2020-35730 and the corresponding JavaScript code designed to download and run additional JavaScript files: ‘q.js’ and ‘e.js,’” CERT-UA said. “E.js” ensured the creation of a mailbox rule for redirecting incoming emails to a third-party email address, in addition to exfiltrating the victim’s address book and session cookies via HTTP POST requests. On the other hand, “q.js” featured an exploit for an SQL injection flaw in Roundcube (CVE-2021-44026) that was used to gather information from the Roundcube database. CERT-UA said it also discovered a third JavaScript file named “c.js” that included an exploit for a third Roundcube flaw (CVE-2020-12641) to execute arbitrary commands on the mail server.

In all, similar phishing emails were sent to the email addresses of more than 40 Ukrainian organizations. The attacks highlight the need for organizations to prioritize cybersecurity and take proactive measures to protect themselves against sophisticated cyber threats.