Cybersecurity firm ESET published a report describing the activity of Zebrocy toolkit associated with an advanced threat group known as Sednit, APT28, Fancy Bear, Sofacy or STRONTIUM. According to the analysis, malware operators run commands manually to collect a vast amount of data from infected systems, ranging from documents and pictures to databases stored by web browsers and email clients.

Three years ago, the Sednit group incorporated in its attacks new components targeting victims in various countries in the Middle East and Central Asia. Since then, the number and diversity of components has increased drastically, said the researchers. They have analyzed the campaign that was launched at the end of August 2018, in which the group distributed spearphishing emails containing shortened URLs that delivered the first stage of Zebrocy components. Although in the past the gang used a similar technique for credential fishing it is unusual for the Sednit to use this method to deliver one of its malware components directly.

The experts have examined a version of the Zebrocy backdoor written in Delphi (versions written in AutoIt and C++ also exist) with the focus on the commands used by the malware. They believe that the Zebrocy backdoor was spreading through the spearphishing email, although they have yet to recover a sample of a malicious message. Also, it is unclear if the email contained instructions for the victim. The URL led to an archive with two files: the first is an executable file, while the second is a decoy PDF document.

“That document appears to be empty, but the downloader, which is written in Delphi, continues running in the background. The IP address is also used in the URL hardcoded into the first binary downloader,”explain the researchers.

The Stage-1 downloader downloads and executes a new downloader, written in C++, which, in turn, creates an ID and downloads a new backdoor written in Delphi. Its configuration file is splitted into four different hex-encoded, encrypted blobs. Once the backdoor sends basic information about its newly compromised system, the operators take control of the backdoor and start to send commands right away. According to ESET, the latest version of the backdoor supports more than 30 commands, including ones that allow the operators to conduct reconnaissance on the infected computer, gather data on the system and its network and so on.

In order to get information Zebrocy operators upload on the target machines tools that collect login credentials and private keys from web browsers (Yandex Browser, Chromium, 7Star Browser (a Chromium-based browser), CentBrowser, and versions of Microsoft Outlook from 1997 through 2016. These tools are quickly removed once they are not needed anymore.

Zebrocy backdoor looks for databases from other apps, such as Firefox and Opera browsers or email client The Bat!. "The operators retrieve these files on the machine using the DOWNLOAD_LIST command. This command can be used when the operators are aware of the presence of interesting files on the computer," say the researchers

If the victim is deemed interesting Zebrocy is used to deploy another custom backdoor, which is executed using the command "CMD_EXECUTE:". The researchers were not able to determine the purpose of this custom backdoor, but said that it is quickly removed after the operators complete their tasks.