Advisory |
Malware Intelligence |
Threat Actor |
APT28 Sofacy, Sednit, Fancy Bear, STRONTIUM |
Malware |
Zebrocy |
Target Platform |
Windows |
- Afghanistan
- Azerbaijan
- Zimbabwe
- China
- Japan
- Kazakhstan
- Egypt
- Georgia
- Iran
- Korea
- Kyrgyzstan
- Mongolia
- Russia
- Saudi Arabia
- Serbia
- Switzerland
- Tajikistan
- Turkey
- Turkmenistan
- Ukraine
- Uruguay
- Bosnia and Herzegovina
Infection
- PDF of Sinopharm International Corporation’s latest research on COVID-19
- Word document that contains the Zebrocy malware
- Collect system information and send them to the C&C server.
- Manipulate files
- Take screenshots of the user environment
- Drive enumeration
- Persistence via scheduled task
Impact
Technical Impact
- Persistence in the infected system.
- This malware can create, edit, or delete any file in the system.
- Capable of discovering all the connected devices.
- Expose personal data of the victims.
Business Impact
- Compromise all devices that are connected to the infected device
- Possibilities of business data leaks
Indicators of Compromise
C&C- hxxps://support-cloud[.]life/managment/cb-secure/technology.php
- d5d9210ef49c6780016536b0863cc50f6de03f73e70c2af46cc3cff0e2bf9353 30-1868.vhd
- 43c65d87d690aea7c515fe84317af40b7e64b350304b0fc958a51d62826feade 30-22-243.vhd
- d444fde5885ec1241041d04b3001be17162523d2058ab1a7f88aac50a6059bc0 No.243.CB3-EVACUATION LETTER.vhd
- f36a0ee7f4ec23765bb28fbfa734e402042278864e246a54b8c4db6f58275662 243_BIO_SINOPHARM.exe
- 61c2e524dcc25a59d7f2fe7eff269865a3ed14d6b40e4fea33b3cd3f58c14f19 243.CB3.EVACUATION LETTER.exe
- 6449d0cb1396d6feba7fb9e25fb20e9a0a5ef3e8623332844458d73057cf04a1 30-1868 20.10.2020.exe
Mitigations
- Users should practice cyber hygiene
- Keep the system up to date
- Update EDR with the latest signature
- Deploy effective IDPS in the network
- Disable file and printer sharing services
- Use of complex passwords and periodic password rotation
- Proper account and privilege audits