Zebrocy

Zebrocy is a well-documented Trojan malware that infiltrates systems to gather specific system information. Once installed, it sends the collected data to its Command and Control (C2) server via an HTTP POST request. The Zebrocy variant also captures a screenshot of the victim's host and transmits it as a JPEG image to the C2 server. It collects system-specific information by executing the command SYSTEMINFO & TASKLIST on the command line and enumerating details about connected storage devices. This Trojan can be tracked using AutoFocus with the Zebrocy and Cannon tags. The malware uses sophisticated techniques to bypass security measures and initiate downloads of either the Sednit or Zebrocy malware. It has been observed to use techniques borrowed from previous Zebrocy spearphishing campaigns, demonstrating how malicious strategies are often shared and replicated. In 2018, delivery techniques used by KopiLuwak unexpectedly matched those of Zebrocy spearphishing, marking the first such occurrence. Zebrocy was also found in weaponized documents targeting a large Central Asian nation state, using DDE and containing a non-Zebrocy payload. During analysis, the Zebrocy AutoIt downloader was observed downloading and executing a secondary payload from a specific IP address. The secondary payload functionally resembled the initial Zebrocy sample. The dropped payload was identified as a UPX packed Zebrocy variant written in Delphi. Interestingly, the PowerShell code contained in the .lnk files for decoding and dropping the payload was nearly identical to that used by Zebrocy a month earlier. This shift to C# coding in the Sofacy XTunnel codebase mirrors Zebrocy’s practice of recoding and innovating long-used modules in multiple languages. Limited activity from Sofacy was noted in distributing Gamefish, updating the Zebrocy toolset, and potentially registering new domains for future campaigns.