Multiple Russia-aligned risk players have been reported using the privacy-focused messaging apps Signal to target people of interest in order to eavesdrop on their accounts.
The abuse of the app’s legitimate’linked devices ‘ feature, which enables Signal to be used on multiple devices simultaneously, is the most novel and widely used tactic underpinning Russian-aligned attempts to compromise Signal accounts, according to the Google Threat Intelligence Group ( GTIG ) in a report.
In the attacks spotted by the tech giant’s threat intelligence teams, the danger actors, including one it’s tracking as UNC5792, have resorted to destructive QR codes that, when scanned, may reference a victim’s account to an actor-controlled Signal example.
As a result, potential messages get delivered simultaneously to both the victim and the threat actor in real-time, thereby granting threat actors a consistent way to spy on the victim’s conversations. Google said partially overlaps with a hacking group known as .
These QR codes are known to spoof as group invitations, security alerts, or legitimate device pairing instructions from the Signal website. In addition, it has been discovered that the malicious device-linking QR codes are embedded in phishing websites that appear to be Ukrainian military-specific applications.
Google stated that UNC5792 has hosted modified Signal group invitations on actor-controlled infrastructure that look like they are legitimate Signal group invitations.
UNC4221 ( also known as ), a threat actor linked to the targeting of Signal, has targeted Signal accounts used by Ukrainian military personnel through a custom phishing kit that was created to imitate specific features of the Kropyva application used by the Armed Forces of Ukraine for artillery guidance.
A light JavaScript payload known as PINPOINT, which can spoof basic user data and geolocation data through phishing pages, is also used.
Other adversarial collectives that have targeted Signal include Sandworm (aka APT44 ), who has used a Windows Batch script named WAVESIGN, Turla, who has used a light PowerShell script, and UNC1151, who has used the Robocopy utility to extract messages from an infected desktop.
The disclosure from Google comes less than a month after the Microsoft Threat Intelligence team linked Star Blizzard to a spear-phishing campaign that uses a similar device-linking feature to access WhatsApp accounts.
Microsoft and Volexity also last week that a number of Russian threat actors are using device code phishing to target victims ‘ accounts using messaging apps like WhatsApp, Signal, and Microsoft Teams.
The operational focus on Signal from a number of threat actors in recent months serves as a crucial warning for the growing threat to secure messaging applications, which is likely to grow even more, according to Google.
This threat to secure messaging applications includes close-access operations where a threat actor can secure brief access to a target’s unlocked device, as reflected in broad ranging efforts to compromise Signal accounts.
The disclosure comes in the wake of a new search engine optimization ( SEO ) poisoning campaign that distributes fake download pages based on popular programs like Signal, LINE, Gmail, and Google Translate to Chinese-speaking users.
” The executables delivered through fake download pages follow a consistent execution pattern involving temporary file extraction, process injection, security modifications, and network communications”, Hunt. io , adding the samples exhibit infostealer-like functionality associated with a malware strain referred to as MicroClip.