A Comprehensive Look at APT28’s Phantom Net Voxel Campaign
APT28, also known by its multiple aliases such as Fancy Bear, Sofacy, and Sednit, has launched a sophisticated new campaign named Phantom Net Voxel. This operation, an extension of CERT-UA’s earlier report on the BeardShell and Covenant frameworks, has been extensively analyzed by Sekioa researchers. They uncovered new weaponized Office documents and innovative techniques that had not been publicly documented before.
Understanding the Operation
The Phantom Net Voxel campaign is marked by its intricate methodology, incorporating social engineering, steganography, and legitimate cloud services. This approach enables the deployment of modular backdoors while maintaining a discreet presence in the infected system. The result is a lightweight yet enduring infection chain that slips through standard detection frameworks.
Attack Cycle Breakdown
The attack cycle begins with targeted Office documents sent via encrypted messaging platforms like Signal and through email. The documents come with titles that sound familiar and relevant—such as personnel reports and medical forms—making them appear legitimate to recipients, particularly within Ukrainian military and administrative circles.
When these documents are opened and macros are enabled, they release two key components: a dynamic-link library (DLL) for maintaining persistence and a PNG image containing encrypted shellcode. To ensure the DLL loads during subsequent system restarts, a COM-hijack registry key is created that connects the DLL to the explorer.exe process.
The Power of Steganography
A closer analysis of these PNG files reveals they contain AES-CBC encrypted data hidden within their pixel structures. The malware extracts the least-significant bits of the image data, confirming its integrity via a SHA-1 tag. Subsequently, the embedded shellcode initializes a .NET runtime and launches a Covenant Grunt HTTP stager. Hiding executable content within seemingly benign images adds a hurdle for detection systems, as many conventional scanners may overlook the malicious payload concealed in graphic files.
Modular Implants and Cloud-Based Command and Control
Once the initial phase establishes a foothold, the operation transitions to a more modular framework. Investigations have uncovered a C++ backdoor, designated BeardShell by CERT-UA, which queries cloud storage platforms like Icedrive for encrypted directives. This backdoor can execute commands, upload results, and delete files to erase traces of its activities.
Accompanying this is an implant called SlimAgent, designed to capture screenshots, log keystrokes, and gather sensitive information. It employs AES-256 encryption for the data collected, secures session keys with RSA, and stores the information locally prior to exfiltration.
By leveraging legitimate cloud APIs, the attackers obscure their malicious traffic within normal service requests, posing difficult decisions for defenders: either block useful productivity tools or permit covert command-and-control operations.
Evasion Techniques and Anti-Analysis Measures
Phantom Net Voxel incorporates several anti-analysis strategies to further enhance its stealth. The malware monitors its runtime environment, system resources, and debugging tools, exiting immediately if it detects conditions that suggest it is operating within a sandbox or a controlled environment. Phishing assets include CAPTCHAs and blockers aimed at devtools, deterring automated analysis and making it harder for researchers to scrutinize them. Most notably, strings and configuration settings are decrypted only during runtime, significantly reducing the static footprint that can be analyzed.
Key Design Innovations
Three significant design decisions have emerged from this campaign:
-
Steganographic Staging: Concealing shellcode within PNG files not only heightens stealth but also capitalizes on the trust users place in media files.
-
Cloud Command and Control Channels: By incorporating malicious actions into traffic from notable services like Icedrive, the attackers complicate mitigation efforts, as these channels are also utilized by legitimate customers.
- COM Hijack Persistence: Loading DLLs through the
explorer.exeprocess allows the malware to bypass many antivirus hooks and ensures operation within a trusted setting.
Detection Strategies for Defenders
In response to this advanced threat, Sekioa has released indicators of compromise (IOCs), including hashes for the document and DLL files, along with YARA rules for identifying the stego loader and BeardShell components. Analysts are urged to monitor PNG files for any embedded encrypted blobs, observe atypical cloud API usage, and audit registry entries for unusual CLSID references linked to nonstandard DLLs. Additionally, tracking unexpected processes spawned by explorer.exe can highlight potential threats, while monitoring the frequency of polling and irregular use of consumer cloud APIs can yield substantial insights into malign activities.
The Phantom Net Voxel operation might not represent a new direction for APT28, but it does exemplify the group’s ability to refine existing methodologies into a more elusive and modular operational cycle. By embedding payloads in commonly used image formats and transitioning command channels to well-known cloud services, they have effectively raised the stakes for automated detection, compelling security professionals to broaden their surveillance practices.
