New backdoor family identified in Zebrocy APT group’s campaigns

• The backdoor is coded in a new programming language called Nim.
• It is used by attackers to steal credentials as well as to establish persistence on a compromised system.

Zebrocy group, also known as APT28, has been linked to a new backdoor family. A report by Kaspersky Labs that detailed the developments of the group over the years, mentions this new backdoor. According to the report, the backdoor is written in a new programming language called Nim and is used by attackers to steal credentials and gain persistence on infected systems.

Worth noting

• Just like in previous campaigns, the Zebrocy group has relied on spearphishing techniques to distribute the Nim-based backdoor.
• As per Kaspersky’s findings, the group targeted 12 countries using this new backdoor. They include Kazakhstan, Tajikistan, Turkmenistan, Germany, Kyrgyzstan, United Kingdom, Myanmar, Syrian Arab Republic, Ukraine, Afghanistan, Tanzania, and Iran.
• The report also speaks of the growing activity, malware set and infrastructure of the Zebrocy group which has been used to target networks belonging to government and related entities.

What makes it different?

Kaspersky’s report indicates that the Zebrocy group has employed a plethora of programming languages along with copy-pasting various codes for the malware set.

“The Zebrocy malware set is tossed together from a wide set of languages and technologies, including both legitimate and malicious code shared on online forums and sites like Github and Pastebin. This repeated “copy/paste” practice is not frequently seen in Russian speaking APT malware sets, although open source and penetration testing/red teaming malware are frequently used by other groups, like Empire, Responder, BeEF, and Mimikatz,” said the report.

Kaspersky Lab has stated it would be publishing more details on this Nim backdoor variant of Zebrocy in the coming days.