A Russian threat actor known for its malware campaigns has reappeared in the threat landscape with yet another attack leveraging COVID-19 as phishing lures. Linking the operation to a sub-group of APT28 ,the pandemic-themed phishing emails were employed to deliver the Go version of Zebrocy malware.
Zebrocy is delivered primarily via phishing attacks that contain decoy Microsoft Office documents with macros as well as executable file attachments.
The operators behind the malware have been found to overlap with GreyEnergy, a threat group believed to be the successor of BlackEnergy aka Sandworm.
It operates as a backdoor and downloader capable of collecting system information, file manipulation, capturing screenshots, and executing malicious commands that are then exfiltrated to an attacker-controlled server.
While Zebrocy was originally written in Delphi (called Delphocy), it has since been implemented in half a dozen languages, including AutoIT, C++, C#, Go, Python, and VB.NET. The lure delivered as part of a Virtual Hard Drive (VHD) file that requires victims to use Windows 10 to access the files.
Once mounted, the VHD file appears as an external drive with two files, one a PDF document that purports to contain presentation slides about Sinopharm International Corporation, a China-based pharmaceutical company whose COVID-19 vaccine has been found to be 86% effective against the virus in late-stage clinical trials.
The second file is an executable that masquerades as a Word document that, when opened, runs the Zebrocy malware.
Phishing campaigns delivering Zebrocy have been spotted several times in the wild in recent months.
Zebrocy Delphi variant in Azerbaijan
Golang version of the Zebrocy backdoor , CISA came with an advisory
To thwart such attacks, CISA recommends exercising caution when using removable media and opening emails and attachments from unknown senders, and scanning for suspicious email attachments, and ensuring the extension of the scanned attachment matches the file header.