After years of mysteriously avoiding custom malware, Russia's infamous Sednit threat group is back to using a custom toolkit in recent cyber espionage campaigns against Ukrainian cyber assets This article explores malware framework sednit. . The toolkit has two implants at its core.
One uses techniques from a malware framework that Sednit used in the 2010s, and the other is a heavily modified open-source malware for spying over a long period of time. A New Set of Tools ESET researchers found the malware while looking into a 2024 breach in Ukraine that used a keylogger called SlimAgent, which was based on Sednit code from more than ten years ago.
ESET found another piece of malware called BeardShell that lets the attacker run PowerShell commands on infected systems while using the real cloud service Icedrive for command-and-control (C2) communications. This is in addition to the keylogger. EU Auto Rules Change the rules for cybersecurity More research showed that Sednit was using Beardshell along with Covenant, a complex, heavily modified version of an open source implant that can do a lot of things, like steal data, move laterally, and keep an eye on targets.
ESET discovered that the Sednit developers had made many changes to the malware since 2023 to make it their main tool for malware. The ESET researcher says that BeardShell is a brand new implant, but it uses an obfuscation method that Sednit used in Xtunnel, a network-pivoting tool from the 2010s.
The researcher says that the malware "is basically a PowerShell interpreter that operators mostly used to redeploy Covenant, which suggests that Covenant is the preferred implant for day-to-day espionage operations." Because BeardShell and Covenant use new custom loading chains that their developers update often, finding them is like playing a game of cat and mouse. The malware is also hard to block because it uses different legitimate cloud infrastructures for C2 communications.
