Schedule a demo

Zebrocy Malware Laced Phishing Email Threat Intel Advisory

  • 7:34 pm
  • Categories: Advisory, APT, Malware

Summary

CloudSEK threat intelligence advisory on Zebrocy, group that supports APT groups like Sofacy, masquerades as the latest research on COVID-19.
Advisory
 Malware Intelligence
Threat Actor 
 APT28  Sofacy, Sednit, Fancy Bear, STRONTIUM 
Malware
 Zebrocy
Target Platform
 Windows
  APT28 (also known as Fancy Bear, Sofacy, Sednit, STRONTIUM) was discovered using the malware Zebrocy as part of their new COVID-19 campaign targeting Government agencies and commercial organization of the following nations:
  • Afghanistan
  • Azerbaijan
  • Zimbabwe
  • China
  • Japan
  • Kazakhstan
  • Egypt
  • Georgia
  • Iran
  • Korea
  • Kyrgyzstan
  • Mongolia
  • Russia
  • Saudi Arabia
  • Serbia
  • Switzerland
  • Tajikistan
  • Turkey
  • Turkmenistan
  • Ukraine
  • Uruguay
  • Bosnia and Herzegovina
Zebrocy is a sub-group that helps APT groups like Sofacy with victim profiling and access. The malware that the group delivers, dubbed Zebrocy, initiates the campaign by sending out phishing emails with malicious attachments, masquerading as the latest research by Sinopharm International Corporation on COVID-19. The actors also pose as officials from Directorate General of Civil Aviation, India.

Infection

Trojanized DGCA Documents in VHD
Trojanized DGCA Documents in VHD
The malicious email usually contains a Virtual Hard Disk (VHD), which can only be accessed in Windows 10. The VHD includes the following files: 
  • PDF of Sinopharm International Corporation’s latest research on COVID-19
  • Word document that contains the Zebrocy malware
Trojanized Sinopharm Document in VHD
Trojanized Sinopharm Document in VHD
The malware launches a backdoor and a downloader. Zebrocy is armed with these functionalities :
  • Collect system information and send them to the C&C server.
  • Manipulate files
  • Take screenshots of the user environment
  • Drive enumeration 
  • Persistence via scheduled task 
The enumerated data is sent to the C2, awaiting further commands.

Impact 

Technical Impact
  • Persistence in the infected system.
  • This malware can create, edit, or delete any file in the system.
  • Capable of discovering all the connected devices.
  • Expose personal data of the victims.
Business Impact
  • Compromise all devices that are connected to the infected device
  • Possibilities of business data leaks

Indicators of Compromise

C&C
  • hxxps://support-cloud[.]life/managment/cb-secure/technology.php
VHD files
  • d5d9210ef49c6780016536b0863cc50f6de03f73e70c2af46cc3cff0e2bf9353  30-1868.vhd
  • 43c65d87d690aea7c515fe84317af40b7e64b350304b0fc958a51d62826feade  30-22-243.vhd
  • d444fde5885ec1241041d04b3001be17162523d2058ab1a7f88aac50a6059bc0  No.243.CB3-EVACUATION LETTER.vhd
Zebrocy
  • f36a0ee7f4ec23765bb28fbfa734e402042278864e246a54b8c4db6f58275662  243_BIO_SINOPHARM.exe
  • 61c2e524dcc25a59d7f2fe7eff269865a3ed14d6b40e4fea33b3cd3f58c14f19  243.CB3.EVACUATION LETTER.exe
  • 6449d0cb1396d6feba7fb9e25fb20e9a0a5ef3e8623332844458d73057cf04a1  30-1868 20.10.2020.exe

Mitigations

  • Users should practice cyber hygiene
  • Keep the system up to date 
  • Update EDR with the latest signature
  • Deploy effective IDPS in the network
  • Disable file and printer sharing services
  • Use of complex passwords and periodic password rotation
  • Proper account and privilege audits

Table of Contents

Try XVigil for free

Request an easy and customized demo for free

Be informed in your Inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Subscribe now
Join the Discussions
Discuss your way into our Community about these threats and stay Vigilant and informed.
Discuss Now