23 May 2019

Researchers shed some light on commands used by Zebrocy toolkit

Researchers shed some light on commands used by Zebrocy toolkit

Cybersecurity firm ESET published a report describing the activity of Zebrocy toolkit associated with an advanced threat group known as Sednit, APT28, Fancy Bear, Sofacy or STRONTIUM. According to the analysis, malware operators run commands manually to collect a vast amount of data from infected systems, ranging from documents and pictures to databases stored by web browsers and email clients.

Three years ago, the Sednit group incorporated in its attacks new components targeting victims in various countries in the Middle East and Central Asia. Since then, the number and diversity of components has increased drastically, said the researchers. They have analyzed the campaign that was launched at the end of August 2018, in which the group distributed spearphishing emails containing shortened URLs that delivered the first stage of Zebrocy components. Although in the past the gang used a similar technique for credential fishing it is unusual for the Sednit to use this method to deliver one of its malware components directly.

The experts have examined a version of the Zebrocy backdoor written in Delphi (versions written in AutoIt and C++ also exist) with the focus on the commands used by the malware. They believe that the Zebrocy backdoor was spreading through the spearphishing email, although they have yet to recover a sample of a malicious message. Also, it is unclear if the email contained instructions for the victim. The URL led to an archive with two files: the first is an executable file, while the second is a decoy PDF document.

“That document appears to be empty, but the downloader, which is written in Delphi, continues running in the background. The IP address is also used in the URL hardcoded into the first binary downloader,”explain the researchers.

The Stage-1 downloader downloads and executes a new downloader, written in C++, which, in turn, creates an ID and downloads a new backdoor written in Delphi. Its configuration file is splitted into four different hex-encoded, encrypted blobs. Once the backdoor sends basic information about its newly compromised system, the operators take control of the backdoor and start to send commands right away. According to ESET, the latest version of the backdoor supports more than 30 commands, including ones that allow the operators to conduct reconnaissance on the infected computer, gather data on the system and its network and so on.

In order to get information Zebrocy operators upload on the target machines tools that collect login credentials and private keys from web browsers (Yandex Browser, Chromium, 7Star Browser (a Chromium-based browser), CentBrowser, and versions of Microsoft Outlook from 1997 through 2016. These tools are quickly removed once they are not needed anymore.

Zebrocy backdoor looks for databases from other apps, such as Firefox and Opera browsers or email client The Bat!. "The operators retrieve these files on the machine using the DOWNLOAD_LIST command. This command can be used when the operators are aware of the presence of interesting files on the computer," say the researchers

If the victim is deemed interesting Zebrocy is used to deploy another custom backdoor, which is executed using the command "CMD_EXECUTE:". The researchers were not able to determine the purpose of this custom backdoor, but said that it is quickly removed after the operators complete their tasks.

Back to the list

Latest Posts

Multiple foreign ministries and think tanks targeted in suspected North Korean cyber espionage campaign

Multiple foreign ministries and think tanks targeted in suspected North Korean cyber espionage campaign

The command and control server and IP address used in the new phishing campaign were previously observed in the Kimsuky campaign ties to North Korea.
23 August 2019
New Mirai variant hides its C&Cs in Tor network for anonymity

New Mirai variant hides its C&Cs in Tor network for anonymity

The use of Tor network helps the malware operators to conceal its command and control servers and to avoid detection.
1 August 2019
New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

After infecting an Android mobile device, Filecoder scans the victim's contact list and sends links on ransomware to all the entries in the list.
31 July 2019
Featured vulnerabilities
Multiple vulnerabilities in OpenPGP.js
Medium Patched | 23 Aug, 2019
Multiple vulnerabilities in Apache HTTP Server
Medium Patched | 23 Aug, 2019
Improper access control in Smart TV Box
Medium Patched | 23 Aug, 2019