Recently, APT28 has been found distributing the Zebrocy malware. The lure was delivered as part of a Virtual Hard Drive (VHD) file that requires victims to use Windows 10 to access the files. The malware samples were heavily obfuscated. Zebrocy is a malware used by the threat group APT28, also known as Sofacy, Sednit, Fancy Bear, and STRONTIUM. The malware was first used in 2015 and overlapped with known Sofacy infrastructure at the time. Zebrocy operates as a downloader and collects information about the infected host that is uploaded to the command and control (C&C) server before downloading and executing the next stage.
The first version of the downloader was written in Delphi and was based on a previous malware used by Sofacy. Zebrocy samples written in AutoIT, C++, C#, Delphi, Go, and VB.NET have been discovered by the research community. The group is believed to be the successor of BlackEnergy, also known as Sandworm. Sandworm was recently attributed to Russia’s GRU by the United States government in an indictment for the NotPetya and Olympic Destroyer campaigns. Generally speaking, Sofacy and BlackEnergy have diverging goals and have been known to go after different targets. In this case, the common infrastructure and targets between the Sofacy subgroup using Zebrocy and GreyEnergy suggests a relationship between the groups. Targets have been located in Afghanistan, Azerbaijan, Bosnia and Herzegovina, China, Egypt, Georgia, Iran, Japan, Kazakhstan, Korea, Kyrgyzstan, Mongolia, Russia, Saudi Arabia, Serbia, Switzerland, Tajikistan, Turkey, Turkmenistan, Ukraine, Uruguay, and Zimbabwe. The delivery of Zebrocy is usually via a spear-phishing email. The email has contained Microsoft Office documents or archive files. Same files have been renamed to target different victims.