Zebrocy Malware Utilized By The APT28 Group Proves A Threat Worldwide

Continue reading
Zebrocy Malware Utilized By The APT28 Group Proves A Threat Worldwide
Active since 2007, the APT28 group has targeted governments, militaries and security organizations globally.
In November, the APT28 gang uncovered COVID-19 phishing methods used for delivering the Go version of Zebrocy. Zebrocy is mainly utilized against governments and commercial groups who deal with foreign affairs.
The method was delivered as part of a Virtual Hard Drive (VHD) file that could be accessed only by Windows 10 users. The suspicious software samples analyzed by the researchers were heavily confused but the analysis of the code allowed the experts to attribute them to the APT28. The suspicious software connects to the C2 through HTTP POST requests.
The malicious software also attempts to download and execute a payload from the C2 it.
Upon organizing the VHD file, it appears as an external drive with two files, a PDF document that intends to contain presentation slides about Sinopharm International Corporation and an executable that pretends to act as a Word document. When opened, the executable runs the Zebrocy malicious software.
In an attack carried out in November and aimed at Kazakhstan, the threat actors used phishing methods that imitating an evacuation letter from India’s Directorate General of Civil Aviation.
Sources stated that Zebrocy is a suspicious software toolset used by the Sofacy threat organization. While the organization keeps changing perplexities and delivery techniques, code reuse allowed Intezer to detect and correctly classify this malicious software.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.