Zebrocy targets Yandex Browser, Chromium and versions of Microsoft Outlook

• The first set of commands collect information about the victim’s system and environment.
• The attackers behind Zebrocy drop dumpers on victims’ computers in order to collect login credentials and private keys from web browsers including Yandex Browser, Chromium, 7Star Browser, CentBrowser, and versions of Microsoft Outlook from 1997 through 2016.

Security researchers observed that attackers behind Zebrocy run commands manually to collect login credentials and private keys from web browsers and email clients.

The big picture

In late August 2018, the Sofacy group, also known as Fancy Bear, Sednit, or STRONTIUM launched a spearphishing email campaign that distributed shortened URLs which delivered the first stage of Zebrocy components.

• The shortened URL redirects victims to an IP-address-based URL, where the archived payload is located.
• The archive includes two files - an executable file and a decoy PDF document.
• The PDF document appears to be empty, however, the downloader runs in the background.
• The stage-1 downloader downloads a C++ based new downloader, which in turn downloads a Delphi-based Zebrocy downloader after the creation of an ID.

The Delphi-based Zebrocy downloader is split into four different hex-encoded, encrypted blobs that contain different parts of the configuration.

Backdoor capabilities

Once the backdoor communicated about its newly compromised machine, attackers take control of the backdoor and start sending commands manually.

• The first set of commands collect information about the victim’s system and environment.
• These commands don't have any arguments.
• The next set of commands are executed immediately after the backdoors are activated.
• The attackers behind Zebrocy drop dumpers on victims’ computers in order to collect more information.
• These dumpers collect login credentials and private keys from web browsers including Yandex Browser, Chromium, 7Star Browser (a Chromium-based browser), CentBrowser, and versions of Microsoft Outlook from 1997 through 2016.

“Observing commands used in the wild by the operator is quite interesting. They are gathering a considerable amount of information on the compromised target and they are not worried about duplicated data,” researchers explained in a blog.