APT28 Hackers Use Customized Covenant Tool in New Attacks
▼ Summary
– The Russian state-sponsored hacking group APT28 is using a custom version of the open-source Covenant framework and a new implant called BeardShell for long-term espionage.
– These tools have been used in recent attacks targeting Ukrainian government bodies, exploiting a Microsoft Office vulnerability via malicious documents.
– BeardShell uses the legitimate Icedrive cloud service for command-and-control and employs a unique obfuscation technique previously seen in older APT28 tools.
– The group’s modified Covenant implant features deterministic identifiers, evasion techniques, and uses cloud providers like Filen for communication, serving as the primary tool with BeardShell as a fallback.
– Researchers assess that APT28’s advanced development team reactivated in 2024, showing technical continuity with its past operations and enhancing its long-term surveillance capabilities.
A Russian state-sponsored hacking group known as APT28 has been deploying a customized version of an open-source hacking tool to conduct long-term espionage, particularly against Ukrainian government targets. Security researchers have identified a sophisticated dual-implant strategy using malware called BeardShell alongside a heavily modified variant of the Covenant post-exploitation framework. This approach provides the threat actors with resilient surveillance capabilities, allowing them to maintain access even if one part of their infrastructure is compromised.
The group, which also operates under names like Fancy Bear, Forest Blizzard, and Strontium, has a long history of targeting high-profile entities across Europe. Their recent campaign focuses on Ukrainian central executive bodies, exploiting a vulnerability in Microsoft Office through malicious documents. Once inside a system, the attackers deploy their tools to establish a persistent foothold.
ESET researchers detailed that the operation uses two distinct implants working in tandem. The primary tool is the customized Covenant framework, which handles most espionage activities. BeardShell acts as a secondary or fallback implant, ensuring the hackers retain control if Covenant is discovered or disabled. This layered method points to a highly organized and patient adversary focused on sustained intelligence gathering.
The BeardShell implant is notable for its use of legitimate cloud storage services for communication. It has leveraged platforms like Icedrive to secretly send and receive commands from infected machines. The malware can execute PowerShell commands and employs a unique obfuscation technique previously seen in older APT28 tools, suggesting continuity within the group’s development team. Meanwhile, the customized Covenant framework has been significantly altered from its public source code. Modifications include tying implant identifiers to specific host characteristics, changing execution flows to avoid detection by security software, and integrating new protocols for communicating through cloud storage providers like Filen.
This shift to cloud-based command and control makes the attacks harder to track and block. The group’s adaptation of a widely available tool like Covenant also allows them to build on a stable foundation while adding their own stealth enhancements. The technical analysis reveals that APT28’s advanced malware developers have been actively refining their tools since at least 2023, indicating a resurgence in their operational tempo. The discovery of these tools followed an investigation into another implant called SlimAgent, which was found capturing keystrokes, clipboard data, and screenshots on a compromised Ukrainian government system.
The consistent evolution of tactics and the reuse of historical code patterns demonstrate that this is a mature, well-resourced threat actor. Their focus on long-term surveillance, especially within the context of the ongoing conflict in Ukraine, underscores the persistent digital threat posed by state-sponsored cyber espionage campaigns. Defenders are advised to monitor for suspicious use of cloud storage services in network traffic and to rigorously patch known software vulnerabilities that serve as common entry points for these attacks.
(Source: Bleeping Computer)
