Russian cybercriminals are abusing Signal’s “linked devices” feature to conduct remote phishing and malware delivery operations.
Russian cybercriminal groups, including Sandworm and Turla, are increasingly targeting the encrypted messages app Signal to eavesdrop on Ukrainian soldiers and other individuals that are of interest to Russian intelligence services.
Malicious actors are exploiting Signal's “linked devices” feature, which enables Signal to be used on multiple devices after scanning a QR code.
“If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time without the need for full-device compromise,” says Google Threat Intelligence Group (GTIG) in its latest research.
While the attacks observed were sparked by wartime demands following the Russian invasion of Ukraine, GTIG expects the attacks to intensify and be adopted by other cybercriminal groups.
In addition, Signal's exploits may also be used to target other encrypted messaging services, including WhatsApp and Telegram. Russian-aligned threat groups are actively targeting both apps using similar techniques.
The attacks
To compromise Signal accounts using the device-linking feature, Russian cybercriminals UNC5792 hosted modified Signal group invitations on its infrastructure. These invitations were designed to appear identical to legitimate Signal group invites.
GTIG says that in each fake group invite, JavaScript code that typically redirects the user to join a Signal group was replaced by a malicious block containing the Uniform Resource Identifier (URI).
This is used by Signal to link a new device to Signal, tricking victims into linking their Signal accounts to a device controlled by UNC5792.
Another threat actor, UNC4221, also attempted to mask its device-linking functionality as an invite to a Signal group from a trusted contact. The researchers observed different variations of this phishing kit.
“As a core component of its Signal targeting, UNC4221 also used a lightweight JavaScript payload tracked as PINPOINT to collect basic user information and geolocation data using the browser’s GeoLocation API,” GTIG notes.
Beyond remote phishing and malware delivery operations, malicious QR codes are being used in close-access operations.
APT44, also known as Sandworm, has worked to enable Russian military forces to link Signal accounts on devices captured on the battlefield back to Sandworm-controlled infrastructure for follow-on exploitation.
In addition to targeted efforts, Russian and Belarussian groups, including Infamous Chisel, Turla, Sandworm, and UNC1151, were observed trying to steal Signal database files from Android and Windows devices.
Sandworm, for instance, has been observed operating WAVESIGN, a lightweight Windows Batch script, to periodically query Signal messages from a victim’s Signal database and exfiltrate those most recent messages using Rclone, GTIG says,
Your email address will not be published. Required fields are markedmarked