Zebrocy

Malware updated 16 days ago (2024-10-15T10:01:28.761Z)
Download STIX
Preview STIX
Zebrocy is a malicious software (malware) known for its capability to exploit and damage computer systems. It infiltrates the system through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. The Zebrocy Trojan, a variant of this malware, collects system-specific information and sends it to the Command and Control (C2) server via an HTTP POST request. This specific variant also captures a screenshot of the victim's host as a JPEG image, sending it to the C2 server. System information collection is achieved by running the command SYSTEMINFO & TASKLIST on the command line and enumerating information about connected storage devices. The analyzed first-stage payload revealed a consistent pattern with the well-documented Zebrocy Trojan. Among the additional samples collected, most were Delphi and AutoIT variants, while several were a C++ variant of the Zebrocy downloader tool. One of the samples collected was found attempting to communicate with its C2 at a specific URL to retrieve a Zebrocy AutoIT downloader. In another instance, the Mark of the Web (MOTW) was bypassed, and a PDF file with a backdoor was opened to download either the Sednit or Zebrocy malware. Techniques from previous Zebrocy spear-phishing attempts were observed being duplicated and passed around. Interestingly, one of the samples targeted the same large Central Asian nation state as previously mentioned. It was a weaponized document leveraging Dynamic Data Exchange (DDE) and containing a non-Zebrocy payload. During analysis, this DDE was seen downloading and executing a Zebrocy AutoIt downloader configured to attempt to download an additional payload from a specific IP address. The C2 server provided a secondary payload functionally similar to the initial Zebrocy sample. The payload dropped to the system is a UPX packed Zebrocy variant written in the Delphi language. The LNK files were an especially interesting development as the PowerShell code they contain for decoding and dropping the payload is nearly identical to that utilized by the Zebrocy threat actor a month earlier.
Description last updated: 2024-10-15T09:19:11.950Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT28 Threat Actor is associated with Zebrocy. APT28, also known as Fancy Bear or Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia. The group has been involved in several high-profile cyber-espionage activities, including the hacking of the Democratic National Committee (DNC) during the 2016 US Presidenhas used
3
The Sednit Threat Actor is associated with Zebrocy. Sednit, also known as APT28, Fancy Bear, Pawn Storm, Sofacy Group, BlueDelta, and Strontium, is a threat actor associated with Russia's military intelligence. The group has been active since at least 2007, primarily targeting governments, militaries, and security organizations worldwide. Notably, SeUnspecified
2