Threat Signal Report

Joint Malware Analysis Report on "Zebrocy" Backdoor (APT28)

Description

Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force released a Malware Analysis Report (MAR) on the malware family known as Zebrocy. This latest alert highlights two newly discovered variants of the Zebrocy backdoor. Contained within this MAR are technical descriptions of the samples analyzed. As part of our partnership with the Cyber Threat Alliance (CTA), we received advanced notification from CISA before today's announcement.


What are the Technical Details?

The two files analyzed are Windows 32-bit executable files written in the Go programming language (Golang). Golang files are tedious to analyze, which offers an explanation as to why this platform was likely chosen by the threat actors.

According to the report, the file can take an argument that is supposed to be an XOR and HEX encoded URI (uniform resource identifier) or plaintext URI. The URI can either be a predetermined domain or an IP address and port. When it is run, it can take the URI string and encrypt it using AES-128 along with appending a key that is generated specifically from the victim's hostname.

It can collect information specific to the victims environment, such as username, time of infection and 6 bytes of a users Security Identifier for further reconnaissance. The information is then encrypted and HEX encoded for further exfiltration to a remote server.

The malware can perform the following functions:

Manipulation of files (create, modify and delete)

Execution of commands via cmd.exe

Taking screenshots of victim environment

Drive enumeration

Setting persistence via scheduled task creation


Who is Behind Zebrocy?

Attribution to the Zebrocy malware family (also referred to as Sofacy) is APT28. APT28 is also known as Fancy Bear, Pawn Storm, Sednit, and Strontium. This threat actor is attributed to the Russian government (GRU 85th GTsSS).


Why is APT28 Significant?

APT28 main targets are ones that appear to be of interest to the government of Russia. Previous attacks by APT 28 were not just limited to various government entities, but ranged from Russian citizens who were critical of the government to the anti-Putin rock band, Pussy Riot. APT 28 was responsible for the World Anti-Doping Agency (WADA) attacks at the Rio Olympics (2016). In similar fashion to APT29 (discussed below), APT28 was also responsible for the DNC attacks in 2016 as well.


Although APT28 is attributed to the government of Russia, it is not to be confused with APT29/Cozy Bear/Duke, which is another group attributed to Russia. APT29/Cozy Bear/Duke has been in operation since 2008. Previous attacks attributed to this threat actor have been against various companies, governmental agencies, research institutions, non-governmental organizations, and think tanks across multiple countries. Other high profile attacks attributed to this group are the attacks on the United States Pentagon in 2015, the Democratic National Committee (DNC) email leaks in 2016, and various United States think tanks and NGOs in 2017. Both groups rely on spearphishing attacks.


What Operating Systems are Affected?

Windows based operating systems.


What is the Severity of Impact?

The severity should be regarded as medium. This is due to the lack of specifics related to observed, in the wild attacks.


Any Suggested Mitigations?

FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. If it is deemed that patching is not feasible, it is recommended that a risk assessment is conducted to determine additional mitigation safeguards within an environment.

In the meantime, organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.


What is the Status of AV and IPS Coverage?

FortiGuard Labs has AV coverage in place for publicly available samples as:

W32/Zebrocy.A!tr


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.