APT28, also known as Sofacy, Sednit, Fancy Bear, or STRONTIUM, has reappeared with an attack leveraging COVID-19 as phishing lures, once again indicating how adversaries are adept at repurposing the current world events to their advantage.
Intezer said the pandemic-themed phishing emails were employed to deliver the Go version of Zebrocy (or Zekapab) malware.
Zebrocy is delivered primarily via phishing attacks that contain decoy Microsoft Office documents with macros as well as executable file attachments.
The lure was delivered as part of a Virtual Hard Drive (VHD) file that requires victims to use Windows 10 to access the files. While the malware samples were heavily obfuscated, it was possible to attribute them to the Sofacy threat actor since they shared genomes with samples used in previous campaigns.
Zebrocy is a malware used by the threat group Sofacy, also known as Sednit, APT28, Fancy Bear, and STRONTIUM. Sofacy was one of the groups indicted by the Department of Justice (DOJ) for the compromise of the Democratic National Committee (DNC). The Zebrocy toolset was first reported by Kaspersky Labs as part of theirAPT Trends report in 2017. The malware was first used in2015 and overlapped with known Sofacy infrastructure at the time. Zebrocy operates as a downloader and collects information about the infected host that is uploaded to the command and control (C&C) server before downloading and executing the next stage.
The first version of the downloader was written in Delphi and was based on a previous malware used by Sofacy. One unique aspect of the operators behind Zebrocy is their choice of evolving the malware. Instead of improving their codebase to add new functionalities and increase their chance of staying undetected, the group has opted to keep the malware simple by implementing new versions in different programming languages. Zebrocy samples written in AutoIT, C++, C#, Delphi, Go, and VB.NET have been discovered by the research community.
While Zebrocy is known to be used by a subset of the Sofacy threat group, Kaspersky Labs reported in January 2019 that they had discovered infrastructure used both by Zebrocy and GreyEnergy. GreyEnergy was discovered by ESET and reported on inOctober 2018. The group is believed to be the successor of BlackEnergy, also known as Sandworm. Sandworm was recently attributed to Russia’s GRU by the United States government in an indictment for the NotPetya and Olympic Destroyer campaigns. Generally speaking, Sofacy and BlackEnergy have diverging goals and have been known to go after different targets. In this case, the common infrastructure and targets between the Sofacy subgroup using Zebrocy and GreyEnergy suggests a relationship between the groups.
Zebrocy is mainly used against governments and commercial organizations engaged in foreign affairs. Victims have been located in: “Afghanistan, Azerbaijan, Bosnia and Herzegovina, China, Egypt, Georgia, Iran, Japan, Kazakhstan, Korea, Kyrgyzstan, Mongolia, Russia, Saudi Arabia, Serbia, Switzerland, Tajikistan, Turkey, Turkmenistan, Ukraine, Uruguay, and Zimbabwe.” The delivery of Zebrocy is usually via a spear-phishing email. The email has contained Microsoft Office documents or archive files.