Zebrocy, the Russian speaking threat group that shares similarities and overlaps with both the Sofacy and BlackEnergy APTs, is once again roaming the wide plain of government, foreign-affairs and military targets. Researchers have spotted the group using a new first-stage malware dropper in recent campaigns, prompting an analysis that offers deeper clues as to the group’s role in the APT landscape. The dropper in turn fetches the group’s custom backdoors.
In the most recent campaign, “Zebrocy spearphished a fairly long list of targets throughout the world with a new Nim downloader,” Kaspersky Lab researchers said in an analysis on Monday, noting that they saw the activity begin in April. Targeted locations included Germany and the United Kingdom in Western Europe. Closer to Zebrocy’s neighborhood, the group is targeting Afghanistan, Kazakhstan, Kyrgyzstan, Tajikistan and Turkmenistan. It’s also targeting Syria and Iran, in the Middle East, and Myanmar and Tanzania in Asia and Africa, respectively.
A Support Group
Kaspersky’s analysis of Zebrocy shows that it specializes in victim profiling and access, with roots that stretch back to 2013. It shares malware artifacts and similarities with BlackEnergy and Sofacy, “suggesting a supportive role as a sub-group,” according to researchers.
The analysis shows that Zebrocy shares limited infrastructure, targets and interests with Sofacy, a.k.a. Fancy Bear, Sednit or APT28, which is the group widely viewed as responsible for the 2016 election hacks in the US, among other campaigns. There’s also some malware overlap. Kaspersky Lab also said that Zebrocy has shared targeting and malware code with BlackEnergy, the group behind the 2015 Ukraine blackout.
And, “Oddly, Turla deployed spearphish macros almost identical to previous, non-public Zebrocy code in 2018,” the researchers noted.
Its role, according to Kaspersky Lab, is to gain an initial foothold in target systems before the other groups deploy their destructive and espionage tools.
“Consistent profiling and process enumeration reporting behavior has been redeveloped and redeployed in Zebrocy backdoors across five+ years,” the researchers said. “Multiple bespoke second-stage implants perform credential-harvesting based on stage one process enumeration.”
They added, “Because the group seems to maintain lineage in both the zero-day capable and destructive BlackEnergy/Sandworm APT and the prolific and zero-day capable Sofacy APT, this course is very interesting.”
Malware Salad
Zebrocy may overlap with the other, bigger, badder APTs, but it has its own bag of tricks. It doesn’t dabble in zero-days, preferring instead to develop an agile malware set that it uses in spearphishing activity. This custom malware set has also been coded in a half-dozen languages.
“We have noted a virtual salad of Zebrocy code tossed together, built with a handful of languages, often ripped from various code-sharing sites,” the analysts said, adding that this includes both legitimate and malicious code shared on online forums and sites like Github and Pastebin.
“This repeated copy/paste practice is not frequently seen in Russian speaking APT malware sets,” according to the analysis. “Also unusual, this Zebrocy malware assortment is frequently rebuilt on multiple languages, along with new malware components added to the mix.”
The researchers said that recent changes to its Go downloader variant make it clear that the Zebrocy malware set is still under active development, with observed activity continued into late May 2019. The downloader fingerprints and profiles victims with screengrabs and system information collection, to inform second-stage credential-harvesting efforts.
“These backdoors also include a large amount of code included from external sources. They also include the Zebrocy Go backdoors [that] have been sent out in waves over the past year, maintaining a variety of project strings,” according to Kaspersky Lab researchers. They also said that the most recent loader represents both a return to C coding for the group, and also an expansion of its arsenal with the Nim language.
After collected information is sent to the command-and-control (C2) server, the target system receives a custom-built, second-stage implant targeted to that machine, for the purpose of retrieving credentials from software sources. Some of them are surprising. For instance, Kaspersky Lab observed harvesting from little-known customized Chromium builds like CentBrowser and 7Star from Asian Studios.
In all, it’s clear that Zebrocy is robustly galloping along in its mission.
“Its ongoing activity demonstrates a long-game commitment to gaining access to targeted networks,” Kaspersky Lab concluded. “This latest new Nim coding adds to the growing list of languages for this malware set. We will see more from Zebrocy into 2019 on government and military related organizations.”