Multiple Russia-aligned threat actors have been observed targeting individuals of interest via the privacy-focused messaging app Signal to gain unauthorized access to their accounts.
“The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app’s legitimate ‘linked devices’ feature that enables Signal to be used on multiple devices concurrently,” the Google Threat Intelligence Group (GTIG) said in a report.
In the attacks spotted by the tech giant’s threat intelligence teams, the threat actors, including one it’s tracking as UNC5792, have resorted to malicious QR codes that, when scanned, will link a victim’s account to an actor-controlled Signal instance.
As a result, future messages get delivered synchronously to both the victim and the threat actor in real-time, thereby granting threat actors a persistent way to eavesdrop on the victim’s conversations. Google said UAC-0195 partially overlaps with a hacking group known as UAC-0195.
These QR codes are known to masquerade as group invites, security alerts, or legitimate device pairing instructions from the Signal website. Alternatively, the malicious device-linking QR codes have been found to be embedded in phishing pages that purport to be specialized applications used by the Ukrainian military.
“UNC5792 has hosted modified Signal group invitations on actor-controlled infrastructure designed to appear identical to a legitimate Signal group invite,” Google said.
Another threat actor linked to the targeting of Signal is UNC4221 (aka UAC-0185), which has targeted Signal accounts used by Ukrainian military personnel by means of a custom phishing kit that’s designed to mimic certain aspects of the Kropyva application used by the Armed Forces of Ukraine for artillery guidance.
Also used is a lightweight JavaScript payload dubbed PINPOINT that can collect basic user information and geolocation data through phishing pages.
Outside of UNC5792 and UNC4221, some of the other adversarial collectives that have trained their sights on Signal are Sandworm (aka APT44), which has utilized a Windows Batch script named WAVESIGN; Turla, which has operated a lightweight PowerShell script; and UNC1151, which has put to use the Robocopy utility to exfiltrate Signal messages from an infected desktop.
The disclosure from Google comes a little over a month after the Microsoft Threat Intelligence team attributed the Russian threat actor known as Star Blizzard to a spear-phishing campaign that leverages a similar device-linking feature to hijack WhatsApp accounts.
Last week, Microsoft and Volexity also revealed that multiple Russian threat actors are leveraging a technique called device code phishing to log into victims’ accounts by targeting them via messaging apps like WhatsApp, Signal, and Microsoft Teams.
“The operational emphasis on Signal from multiple threat actors in recent months serves as an important warning for the growing threat to secure messaging applications that is certain to intensify in the near-term,” Google said.
“As reflected in wide ranging efforts to compromise Signal accounts, this threat to secure messaging applications is not limited to remote cyber operations such as phishing and malware delivery, but also critically includes close-access operations where a threat actor can secure brief access to a target’s unlocked device.”
The disclosure also follows the discovery of a new search engine optimization (SEO) poisoning campaign that uses fake download pages impersonating popular applications like Signal, LINE, Gmail, and Google Translate to deliver backdoored executables aimed at Chinese-speaking users.
“The executables delivered through fake download pages follow a consistent execution pattern involving temporary file extraction, process injection, security modifications, and network communications,” Hunt.io said, adding the samples exhibit infostealer-like functionality associated with a malware strain referred to as MicroClip.
