Cybercriminals from Sednit group, also known as Fancy Bear, APT28, Sofacy launching new Zebrocy Malware that indented to open backdoor on the targeted machine to gain the remote access.
The sednit hacking group operates since 2004, the threat operators from this group employed a verity of hacking tools to perform its espionage operations.
Researchers from ESET believes that the Sednit group unleashed new components that target victims in various countries in the Middle East and Central Asia in 2015. Since then, the number and diversity of components have increased drastically.
Unlike other malware, Threat actors from Sednit group launched a spearphishing email campaign along with shortening URL using Bitly to delivery the first stage of malware, which is pretty unusual.
Based on ESET telemetry data, the URL is being delivered through the spearphishing Email, and the link is IP based which holding the archive payload in background.
Zebrocy Malware infection Process
Archived payload contains two files, in which, the first file indicate the malicious executable and the second file holding the weaponized PDF file.
Once the victims click the file, the binary will be executed, and it promotes the user to enter the password; eventually, PDF will open after the validation attempt.
PDF documents appeared to be empty, but the downloader start its malicious process in the background which is written in Delphi, and this first stage of the downloader will download another new downloader and execute it.
According to ESET, Once again this downloader is as straightforward as the Zebrocy gang’s other downloaders. It creates an ID and it downloads a new, interesting backdoor, (this time) written in Delphi.”
Later this backdoor will reside in the resource session and is split into four different hex-encoded, encrypted blobs.
Once the backdoor takes the system control, it sends necessary information about its newly compromised system. Later the operators take control of the backdoor and start to send commands right away.
There are some of the first set of commands that utilize the information about the victim’s computer and environment.
| Commands | Arguments |
|---|---|
| SCREENSHOT | None |
| SYS_INFO | None |
| GET_NETWORK | None |
| SCAN_ALL | None |
“The commands above are commonly executed when the operators first connect to a newly activated backdoor. They don’t have any arguments, and they are quite self-explanatory. Other commands commonly seen executed shortly after these backdoors are activated”, listed below:
| Commands | Arguments |
|---|---|
| REG_GET_KEYS_VALUES | HKEY_CURRENT_USER SoftwareMicrosoftWindowsCurrentVersion |
| DOWNLOAD_DAY(30) | c:*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg;*.jpeg; *.bmp;*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*
d:*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg;*. |
| DOWNLOAD_DAY(1) |
c:*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg* d:*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg* |
| CMD_EXECUTE | echo %APPDATA% ipconfig /all netstat -aon |
| CMD_EXECUTE | wmic process get Caption,ExecutablePath reg query “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” /s |
The interesting part is that the threat actors also deploy the custom backdoor on the victim’s machine, and they use COM object hijacking to make the malware persistent on the system.
But unfortunately, researchers are unclear what was the purpose of this custom backdoor and also it is living a short time in the system. Later threat actors quickly remove it once they complete the task.
You can Download Free E-book to learn about complete Enterprise Security Implementation & Mitigation Steps – Download Free-Ebook Here.
