Zebrocy’s Evolution with Golang-Based Version Enjoys Low Detection
The hackers behind Zebrocy malware have added a new chapter in their malware delivery tactics book.
Key points about new Zebrocy variants
Researchers at Intezer have analyzed the latest versions of Zebrocy and discovered that the malware operators, APT28, have chosen the Golang language instead of any earlier used programming languages, such as Delphi, AutoIT, C++, C#, Delphi, and VB.NET.
- Researchers observed a VHD file containing a PDF document and an executable file masquerading as a Microsoft Word document, which actually contained the Zebrocy malware.
- The use of a VHD file to hide the malware successfully tricked the antivirus search engines from detecting the generic malware.
- For distribution of this version, the threat actor used COVID-19 vaccine-themed phishing lures embedded with malware-laden documents about Sinopharm International Corporation.
A view into the malware
In November, together with CISA and the FBI, US Cyber Command had exposed two samples of the Zebrocy malware, used by the APT28 hacking group, describing Zebrocy's inner workings.
Recent Zebrocy campaign by APT28
- In September-end, it was disclosed that the APT28 group was delivering the Zebrocy Delphi version using NATO’s upcoming training as a lure to target a specific government body in Azerbaijan.
- The Russian-speaking threat actor APT28 has been conducting similar campaigns with the Delphi variant of the Zebrocy toolset since at least August.
The bottom line
The continuous evolution of Zebrocy malware and the innovative method of using VHD files demonstrate the threat actor’s proficiency in obfuscation and delivery techniques. In addition, the use of current topics, such as COVID-19 and its vaccine to lure its victims makes this a deadly threat. Therefore, experts recommend that organizations use defense-in-depth strategies for prevention of such threats.