Russian APT28 Hackers Using COVID-19 as Bait to Deliver Zebrocy Malware

  • A Russian threat actor known for its malware strategies has reappeared in the threat landscape with yet a different attack leveraging COVID-19 as phishing lures, once once again indicating how adversaries are adept at repurposing the latest planet occasions to their gain.

    Linking the operation to a sub-team of APT28 (aka Sofacy, Sednit, Fancy Bear, or STRONTIUM), cybersecurity company Intezer claimed the pandemic-themed phishing emails were being used to provide the Go variation of Zebrocy (or Zekapab) malware.

    The cybersecurity business instructed The Hacker Information that the campaigns have been observed late past thirty day period.

    Zebrocy is shipped mainly by means of phishing assaults that include decoy Microsoft Office environment documents with macros as properly as executable file attachments.

    1st spotted in the wild in 2015, the operators driving the malware have been located to overlap with GreyEnergy, a danger team thought to be the successor of BlackEnergy aka Sandworm, suggesting its job as a sub-team with backlinks to Sofacy and GreyEnergy.

    It operates as a backdoor and downloader able of gathering method details, file manipulation, capturing screenshots, and executing destructive commands that are then exfiltrated to an attacker-controlled server.

    When Zebrocy was initially penned in Delphi (termed Delphocy), it has considering the fact that been implemented in half a dozen languages, which include AutoIT, C++, C#, Go, Python, and VB.Web.

    This specific campaign noticed by Intezer takes advantage of the Go version of the malware, initial documented by Palo Alto Networks in October 2018 and later on by Kaspersky in early 2019, with the lure sent as part of a Virtual Tricky Push (VHD) file that needs victims to use Windows 10 to access the data files.

    Once mounted, the VHD file seems as an external travel with two data files, just one a PDF document that purports to comprise presentation slides about Sinopharm Intercontinental Corporation, a China-dependent pharmaceutical company whose COVID-19 vaccine has been located to be 86% productive versus the virus in late-phase clinical trials.

    The next file is an executable that masquerades as a Word doc that, when opened, operates the Zebrocy malware.

    Intezer stated it also observed a different attack most likely concentrating on Kazakhstan with phishing lures impersonating an evacuation letter from India’s Directorate Normal of Civil Aviation.

    Phishing strategies offering Zebrocy have been noticed quite a few occasions in the wild in recent months.

    In September past calendar year, ESET in depth Sofacy’s intrusive activities targeting the Ministries of Foreign Affairs in Jap European and Central Asian nations around the world.

    Then before this August, QuoIntelligence uncovered a different marketing campaign aimed at a government overall body in Azerbaijan beneath the pretense of sharing NATO teaching programs to distribute the Zebrocy Delphi variant.

    The Golang version of the Zebrocy backdoor also caught the interest of the US Cybersecurity and Infrastructure Security Agency (CISA), which produced an advisory in late Oct, cautioning that the malware is “intended to allow for a distant operator to accomplish numerous capabilities on the compromised procedure.”

    To thwart this kind of assaults, CISA endorses exercising warning when employing detachable media and opening e-mails and attachments from mysterious senders, and scanning for suspicious email attachments, and guaranteeing the extension of the scanned attachment matches the file header.

    Found this write-up fascinating? Comply with THN on Facebook, Twitter  and LinkedIn to examine additional distinctive content material we write-up.