Russian state-sponsored hackers APT28 (also known as Fancy Bear or UAC-0001) have deployed a sophisticated malware campaign against Ukrainian government targets using Signal messenger to deliver malicious payloads. This operation leverages two previously undocumented malware families—BEARDSHELL and COVENANT—disguised within seemingly harmless files.
Attack Vector and Initial Compromise
APT28 initiates attacks by sending phishing messages via Signal, containing a malicious Word document (e.g., Акт.doc or Act.doc). If macros are enabled, the document deploys COVENANT, a .NET-based command-and-control framework that acts as a loader. This triggers multi-stage payloads which download a malicious DLL (PlaySndSrv.dll) and a WAV file (sample-03.wav) containing shellcode to execute BEARDSHELL.
Malware Functionality
BEARDSHELL
Written in C++, it uses Icedrive’s cloud API to communicate with attackers. Its core capabilities include (1) downloading and executing PowerShell scripts (decrypted via ChaCha20-Poly1305). (2) Uploads execution results to attacker-controlled servers. and (3) Persistence is maintained through COM hijacking in the Windows registry, which links to the SystemSoundsService.
COVENANT
COVENANT serves as an initial loader, facilitating BEARDSHELL deployment while evading detection.
SLIMAGENT (Ancillary Tool). It captures screenshots using Windows API functions and encrypts images (AES + RSA) for later exfiltration..
Persistence and Stealth Tactics
The malware embeds itself via COM object manipulation to auto-load with explorer.exe. It uses trusted platforms like Icedrive and Koofr for C2 traffic, bypassing traditional security tools.
Attribution and Context
CERT-UA attributes this activity (tracked as UAC-0001) to APT28, a group linked to Russia’s GRU military intelligence. The campaigns align with Russia’s hybrid warfare strategy, targeting Ukrainian government entities since at least March 2024.
Mitigation Recommendations
• Block macros in Office documents from untrusted sources.
• Monitor traffic to api.icedrive.net and app.koofr.net—key C2 endpoints.
• Implement behavioral analysis to detect registry-based persistence mechanisms.
