Security researchers observed that attackers behind Zebrocy run commands manually to collect login credentials and private keys from web browsers and email clients.
The big picture
In late August 2018, the Sofacy group, also known as Fancy Bear, Sednit, or STRONTIUM launched a spearphishing email campaign that distributed shortened URLs which delivered the first stage of Zebrocy components.
The Delphi-based Zebrocy downloader is split into four different hex-encoded, encrypted blobs that contain different parts of the configuration.
Once the backdoor communicated about its newly compromised machine, attackers take control of the backdoor and start sending commands manually.
“Observing commands used in the wild by the operator is quite interesting. They are gathering a considerable amount of information on the compromised target and they are not worried about duplicated data,” researchers explained in a blog.