Russian APT28 Hackers Using COVID-19 as Bait to Deliver Zebrocy Malware

A Russian risk actor identified for its malware strategies has reappeared in the threat landscape with nonetheless a different attack leveraging COVID-19 as phishing lures, at the time once again indicating how adversaries are adept at repurposing the present-day earth gatherings to their advantage.

Linking the operation to a sub-team of APT28 (aka Sofacy, Sednit, Fancy Bear, or STRONTIUM), cybersecurity agency Intezer explained the pandemic-themed phishing e-mail were being utilized to produce the Go model of Zebrocy (or Zekapab) malware.

The cybersecurity firm told The Hacker News that the campaigns ended up observed late past thirty day period.

Zebrocy is shipped mainly through phishing assaults that include decoy Microsoft Workplace files with macros as nicely as executable file attachments.

Initially noticed in the wild in 2015, the operators at the rear of the malware have been located to overlap with GreyEnergy, a danger group believed to be the successor of BlackEnergy aka Sandworm, suggesting its function as a sub-team with one-way links to Sofacy and GreyEnergy.

It operates as a backdoor and downloader capable of accumulating method information and facts, file manipulation, capturing screenshots, and executing malicious commands that are then exfiltrated to an attacker-managed server.

Whilst Zebrocy was initially published in Delphi (identified as Delphocy), it has because been applied in fifty percent a dozen languages, which includes AutoIT, C++, C#, Go, Python, and VB.Web.

This particular marketing campaign noticed by Intezer uses the Go variation of the malware, initially documented by Palo Alto Networks in Oct 2018 and afterwards by Kaspersky in early 2019, with the lure shipped as section of a Digital Tricky Push (VHD) file that needs victims to use Windows 10 to accessibility the documents.

Once mounted, the VHD file appears as an exterior drive with two documents, 1 a PDF doc that purports to have presentation slides about Sinopharm Worldwide Company, a China-centered pharmaceutical enterprise whose COVID-19 vaccine has been located to be 86% efficient in opposition to the virus in late-phase medical trials.

The 2nd file is an executable that masquerades as a Word document that, when opened, runs the Zebrocy malware.

Intezer explained it also noticed a separate attack possible concentrating on Kazakhstan with phishing lures impersonating an evacuation letter from India’s Directorate Standard of Civil Aviation.

Phishing campaigns delivering Zebrocy have been spotted several instances in the wild in the latest months.

In September last year, ESET comprehensive Sofacy’s intrusive things to do focusing on the Ministries of Overseas Affairs in Jap European and Central Asian international locations.

Then previously this August, QuoIntelligence uncovered a independent marketing campaign aimed at a government system in Azerbaijan below the pretense of sharing NATO education courses to distribute the Zebrocy Delphi variant.

The Golang edition of the Zebrocy backdoor also caught the consideration of the US Cybersecurity and Infrastructure Stability Agency (CISA), which unveiled an advisory in late Oct, cautioning that the malware is “developed to let a remote operator to execute a variety of features on the compromised technique.”

To thwart such assaults, CISA endorses working out warning when employing detachable media and opening email messages and attachments from unidentified senders, and scanning for suspicious e-mail attachments, and ensuring the extension of the scanned attachment matches the file header.

Fibo Quantum