Rewterz Threat Alert – Russian APT28 Delivers Zebrocy Malware

Severity

High

Analysis Summary

Recently, APT28 has been found distributing the Zebrocy malware. The lure was delivered as part of a Virtual Hard Drive (VHD) file that requires victims to use Windows 10 to access the files. The malware samples were heavily obfuscated. Zebrocy is a malware used by the threat group APT28, also known as Sofacy, Sednit, Fancy Bear, and STRONTIUM. The malware was first used in 2015 and overlapped with known Sofacy infrastructure at the time. Zebrocy operates as a downloader and collects information about the infected host that is uploaded to the command and control (C&C) server before downloading and executing the next stage. 
The first version of the downloader was written in Delphi and was based on a previous malware used by Sofacy. Zebrocy samples written in AutoIT, C++, C#, Delphi, Go, and VB.NET have been discovered by the research community. The group is believed to be the successor of BlackEnergy, also known as Sandworm. Sandworm was recently attributed to Russia’s GRU by the United States government in an indictment for the NotPetya and Olympic Destroyer campaigns. Generally speaking, Sofacy and BlackEnergy have diverging goals and have been known to go after different targets. In this case, the common infrastructure and targets between the Sofacy subgroup using Zebrocy and GreyEnergy suggests a relationship between the groups. Targets have been located in Afghanistan, Azerbaijan, Bosnia and Herzegovina, China, Egypt, Georgia, Iran, Japan, Kazakhstan, Korea, Kyrgyzstan, Mongolia, Russia, Saudi Arabia, Serbia, Switzerland, Tajikistan, Turkey, Turkmenistan, Ukraine, Uruguay, and Zimbabwe. The delivery of Zebrocy is usually via a spear-phishing email. The email has contained Microsoft Office documents or archive files. Same files have been renamed to target different victims. 

Impact

• Information Theft
• Data Exfiltration
• Information Disclosure 

Indicators of Compromise

Domain Name

• support-cloud[.]life

MD5

• 855005fee45e71c36a466527c7fad62f
• 72552ef22b484f8868dab10b0f605779
• 6e1afd4df848888056494247fcf88f53
• 49a34cfbeed733c24392c9217ef46bb6
• 395e166af5197967503f45c3ac134ff7

SHA-256

• d5d9210ef49c6780016536b0863cc50f6de03f73e70c2af46cc3cff0e2bf9353
• 6449d0cb1396d6feba7fb9e25fb20e9a0a5ef3e8623332844458d73057cf04a1
• 61c2e524dcc25a59d7f2fe7eff269865a3ed14d6b40e4fea33b3cd3f58c14f19
• f36a0ee7f4ec23765bb28fbfa734e402042278864e246a54b8c4db6f58275662
• d444fde5885ec1241041d04b3001be17162523d2058ab1a7f88aac50a6059bc0

SHA1

• bfe3e62770c8a4479d19ee4208410199b7484924
• 40ef7b08f271cee4482f01b820d1c54e0fdf9d89
• a0a00e3efd4900f1a0e73b68399049b9293e48da
• fbe27e84dd553477894242844652a30eb7d713bc
• 5761e431cf35b39bb4a9cf0a7dfd913fa822fe48

Source IP

• 89[.]37[.]226[.]148
• 80[.]90[.]39[.]24

URL

• https[:]//support-cloud[.]life/managment/cb-secure/technology[.]php
• http[:]//89[.]37[.]226[.]148/technet-support/library/online-service-description[.]php

Remediation

• Block the threat indicators at their respective controls.
• Do not download files attached in untrusted emails.