Zebrocy

Zebrocy is a malicious software (malware) known for its capability to exploit and damage computer systems. It infiltrates the system through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. The Zebrocy Trojan, a variant of this malware, collects system-specific information and sends it to the Command and Control (C2) server via an HTTP POST request. This specific variant also captures a screenshot of the victim's host as a JPEG image, sending it to the C2 server. System information collection is achieved by running the command SYSTEMINFO & TASKLIST on the command line and enumerating information about connected storage devices. The analyzed first-stage payload revealed a consistent pattern with the well-documented Zebrocy Trojan. Among the additional samples collected, most were Delphi and AutoIT variants, while several were a C++ variant of the Zebrocy downloader tool. One of the samples collected was found attempting to communicate with its C2 at a specific URL to retrieve a Zebrocy AutoIT downloader. In another instance, the Mark of the Web (MOTW) was bypassed, and a PDF file with a backdoor was opened to download either the Sednit or Zebrocy malware. Techniques from previous Zebrocy spear-phishing attempts were observed being duplicated and passed around. Interestingly, one of the samples targeted the same large Central Asian nation state as previously mentioned. It was a weaponized document leveraging Dynamic Data Exchange (DDE) and containing a non-Zebrocy payload. During analysis, this DDE was seen downloading and executing a Zebrocy AutoIt downloader configured to attempt to download an additional payload from a specific IP address. The C2 server provided a secondary payload functionally similar to the initial Zebrocy sample. The payload dropped to the system is a UPX packed Zebrocy variant written in the Delphi language. The LNK files were an especially interesting development as the PowerShell code they contain for decoding and dropping the payload is nearly identical to that utilized by the Zebrocy threat actor a month earlier.