The Zebrocy trojan – a custom downloader malware used by Russia-linked APT Sofacy (a.k.a. APT28, Fancy Bear or Sednit) – has a new variant. While it’s functionally much the same as its other versions, the new code was written using the Go programming language.
The similarities between the new payload and previous Zebrocy variants start with the fact that the versions share the same command-and-control (C2) URL, according to an analysis from Palo Alto’s Unit 42 group. Beyond that, additional overlaps include the fact that it does initial data collection on the compromised system, exfiltrates this information to the C2 server and attempts to download, install and execute an additional payload from the C2.
It also uses ASCII hexadecimal obfuscation of strings, a volume serial number without a hyphen obtained from the VOL command, uses the output from “systeminfo” and “tasklist” in the outbound C2 beacon, and uses the string “PrgStart” within the C2 beacon, according to Unit 42 analysis.
“Past Zebrocy variants have been developed in AutoIt, Delphi, VB.NET, C# and Visual C++,” said developers at Unit 42, in a posting on Tuesday. “While we cannot be certain of the impetus for this, we believe the threat group uses multiple languages to create their trojans to make them differ structurally and visually to make detection more difficult.”
Fresh APT Attacks
Unit 42 has so far seen two attacks delivering the Go variant of Zebrocy: One on October 11, and again on Dec. 5 in an attack that seems to be linked to a previously analyzed campaign (the “Dear Joohn” campaign) that ran from mid-October to mid-November.
The first was a spear-phishing email with an LNK shortcut attachment that was meant to rely on PowerShell scripts; the scripts however were incorrectly coded so the payload couldn’t execute.
The second used a delivery document that had an author name of Joohn, which is how Unit 42 clustered the Dear Joohn delivery documents for that campaign. There, the APT targeted several government entities around the globe, including in North America, Europe and a former Soviet state, and it came in waves during late October and early November. It was seen spreading a brand-new trojan dubbed Cannon.
Now, the tactics seem to have evolved to use the new Zebrocy variant.
“Like the Dear Joohn attacks, the delivery document downloads a remote template via HTTP,” the researchers explained. “Upon opening the delivery document, the lure image … attempts to trick the recipient into enabling content to run the macro within the downloaded remote template.”
That macro is similar to the one used in other Dear Joohn samples, except that it extracts a ZIP from the remote template that contains the Zebrocy executable, which in turn fetches a secondary payload (another downloader) from the C2.
“The Sofacy group continues to use variants of the Zebrocy payload in its attack campaigns,” the researchers said. “The adversaries made some drastic errors to the delivery LNK shortcut, which made this attack seemingly ineffective. Regardless … It is also apparent that the Sofacy group will use these new variants of Zebrocy across multiple different campaigns, as the Go variant of Zebrocy was delivered via the LNK shortcut and a Dear Joohn delivery document.”