Fancy Bear hacker group creates new ‘Go’ variant of Zebrocy malware

• The cyberespionage group has developed a new variant using the Go language.
• Sofacy was spotted delivering the Go variant of the Zebrocy tool via LNK shortcut and a Dear Joohn delivery document.

The Russian cyberespionage group Sofacy, also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium has developed a new ‘Go’ variant of the Zebrocy malware using the Go language.

In the past, the Zebrocy variants have been developed in AutoIt, Delphi, VB.NET, C#, and Visual C++. Researchers believe that the Fancy Bear hacker group uses multiple languages to create their malware to make them differ structurally and visually and to make detection more difficult.

Attacks delivering the Go variant of Zebrocy

Researchers have spotted two Sofacy attacks delivering the Go variant of Zebrocy. The first attack occurred on October 11 and relied on a spear-phishing email with an LNK shortcut attachment. The LNK shortcut is meant to run a series of PowerShell scripts to extract a payload from the shortcut to install and execute.

The PowerShell scripts were coded incorrectly and could not install or run the payload as delivered as a result of which the first attack failed miserably.

“Regardless of the attack’s ineffectiveness, the techniques and procedures observed provide analytical points for correlation and should be included in an organizations security defenses as the group may use the payload and infrastructure in future attacks,” researchers said.

Recently, researchers observed Sofacy delivering the Go variant of Zebrocy using a document related to the Dear Joohn attack campaign that occurred between October and November 2018. The delivery document that installed the Go variant of Zebrocy tool was created on December 3, 2018.

More details on the new variant

The new variant of the Zebrocy tool written in the Go programming language collects information from compromised systems, exfiltrates the information to the C&C server, and attempts to download and execute the payload from C2 server. The new variant also has some overlaps in its functionality. The most important overlap between the Go variant of Zebrocy and with its previous variants is a shared C2 URL that was also used by other Zebrocy samples.

The other overlaps include:

• The use of ASCII hexadecimal obfuscation of strings.
• The use of the volume serial number without a hyphen obtained from the VOL command.
• The use of the output from “systeminfo” and “tasklist” in the outbound C2 beacon.
• The use of the string “PrgStart” within the C2 beacon.

The Sofacy group continues to use variants of the Zebrocy payload in its attack campaigns. Researchers believe that the hacker group will continue to use these new variants of Zebrocy across multiple different campaigns.