Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   APT28 hackers use Signal chats to launch new malware attacks on Ukraine (http://txgate.io:443/showthread.php?t=51301716)

Artifact 07-16-2025 08:53 AM
<div id="post_message_799207">

The Russian state-sponsored threat group APT28 is using Signal chats to target government targets in Ukraine with two previously undocumented malware families named BeardShell and SlimAgent.<br/>
<br/>
To be clear, this is not a security issue in Signal. Instead, threat actors are more commonly utilizing the messaging platform as part of their phishing attacks due to its increased usage by governments worldwide.<br/>
<br/>
The attacks were first discovered by Ukraine's Computer and Emergency Response (<a href="http://cert.gov.ua/article/6284080" target="_blank">CERT-UA</a>) in March 2024, though limited details about the infection vector were uncovered at the time.<br/>
<br/>
Over a year later, in May 2025, ESET notified CERT-UA of unauthorized access to a gov.ua email account, prompting a new incident response.<br/>
<br/>
During this new investigation, CERT-UA discovered that messages sent via the encrypted messenger app Signal were used to deliver a malicious document to targets (Акт.doc), which uses macros to load a memory-resident backdoor called Covenant.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/signal-lure.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

APT28 attack via Signal. Source: CERT-UA

</td>
</tr>
</table>
</div>Covenant acts as a malware loader, downloading a DLL (PlaySndSrv.dll) and a shellcode-ridden WAV file (sample-03.wav) that loads BeardShell, a previously undocumented C++ malware.<br/>
<br/>
For both the loader and the primary malware payload, persistence is secured via COM-hijacking in the Windows registry.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/registry.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Establishing persistence for BeardShell. Source: CERT-UA

</td>
</tr>
</table>
</div>BeardShell's main functionality is to download PowerShell scripts, decrypt them using 'chacha20-poly1305', and execute them. The execution results are exfiltrated to the command-and-control (C2) server, the communication with which is facilitated by Icedrive API.<br/>
<br/>
In the 2024 attacks, CERT-UA also spotted a screenshot grabber named SlimAgent, which captures screenshots using an array of Windows API functions (EnumDisplayMonitors, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt, GdipSaveImageToStream).<br/>
<br/>
Those images are encrypted using AES and RSA, and stored locally, presumably to be exfiltrated by a separate payload/tool to APT28's C2 server.<br/>
<br/>
CERT-UA attributes this activity to APT28, which they track as UAC-0001, and recommends that potential targets monitor network interactions with app.koofr.net and api.icedrive.net.<br/>
<br/>
APT28 has a long history of <a href="https://www.bleepingcomputer.com/news/security/russian-hackers-breach-orgs-to-track-aid-routes-to-ukraine/" target="_blank">targeting Ukraine</a> as well as other key organizations in the U.S. and <a href="https://www.bleepingcomputer.com/news/security/france-ties-russian-apt28-hackers-to-12-cyberattacks-on-french-orgs/" target="_blank">Europe</a>, primarily for cyberespionage.<br/>
<br/>
They are one of Russia's most advanced threat groups, exposed by Volexity in November 2024 for using a novel "<a href="https://www.bleepingcomputer.com/news/security/hackers-breach-us-firm-over-wi-fi-from-russia-in-nearest-neighbor-attack/" target="_blank">nearest neighbor" technique</a>, which remotely breached targets by exploiting nearby Wi-Fi networks. <br/>
<br/>
In 2025, Signal unexpectedly became central to cyberattacks linked to Russia and Ukraine.<br/>
<br/>
The popular communications platform has been abused in <a href="https://www.bleepingcomputer.com/news/security/russian-phishing-campaigns-exploit-signals-device-linking-feature/" target="_blank">spear-phishing attacks</a> that abused the platform's device-linking feature to hijack accounts and in <a href="https://www.bleepingcomputer.com/news/security/ukrainian-military-targeted-in-new-signal-spear-phishing-attacks/" target="_blank">Dark Crystal RAT distribution</a> against key targets in Ukraine.<br/>
<br/>
At some point, representatives of Ukraine's government <a href="https://therecord.media/signal-no-longer-cooperating-with-ukraine" target="_blank">expressed disappointment</a> that Signal allegedly stopped collaborating with them in their effort to block Russian attacks. Ukrainian officials later voiced frustration over Signal's lack of cooperation in blocking Russian operations.<br/>
<br/>
However, Signal president Meredith Whittaker<a href="http://mastodon.world/@Mer__edith/114160644341691299" target="_blank"> met that claim with surprise</a>, saying the platform has never shared communication data with Ukraine or any other government.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/apt28-hackers-use-signal-chats-to-launch-new-malware-attacks-on-ukraine/" target="_blank">@ BleepingComputer </a>
</div>


All times are GMT. The time now is 07:35 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.