Threat Signal ReportJoint Malware Analysis Report on "Zebrocy" Backdoor (APT28)
Description
Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force released a Malware Analysis Report (MAR) on the malware family known as Zebrocy. This latest alert highlights two newly discovered variants of the Zebrocy backdoor. Contained within this MAR are technical descriptions of the samples analyzed. As part of our partnership with the Cyber Threat Alliance (CTA), we received advanced notification from CISA before today's announcement.
What are the Technical Details?
The two files analyzed are Windows 32-bit executable files written in the Go programming language (Golang). Golang files are tedious to analyze, which offers an explanation as to why this platform was likely chosen by the threat actors.
According to the report, the file can take an argument that is supposed to be an XOR and HEX encoded URI (uniform resource identifier) or plaintext URI. The URI can either be a predetermined domain or an IP address and port. When it is run, it can take the URI string and encrypt it using AES-128 along with appending a key that is generated specifically from the victim's hostname.
It can collect information specific to the victims environment, such as username, time of infection and 6 bytes of a users Security Identifier for further reconnaissance. The information is then encrypted and HEX encoded for further exfiltration to a remote server.
The malware can perform the following functions:
Manipulation of files (create, modify and delete)
Execution of commands via cmd.exe
Taking screenshots of victim environment
Drive enumeration
Setting persistence via scheduled task creation
Who is Behind Zebrocy?
Attribution to the Zebrocy malware family (also referred to as Sofacy) is APT28. APT28 is also known as Fancy Bear, Pawn Storm, Sednit, and Strontium. This threat actor is attributed to the Russian government (GRU 85th GTsSS).
Why is APT28 Significant?
APT28 main targets are ones that appear to be of interest to the government of Russia. Previous attacks by APT 28 were not just limited to various government entities, but ranged from Russian citizens who were critical of the government to the anti-Putin rock band, Pussy Riot. APT 28 was responsible for the World Anti-Doping Agency (WADA) attacks at the Rio Olympics (2016). In similar fashion to APT29 (discussed below), APT28 was also responsible for the DNC attacks in 2016 as well.
Although APT28 is attributed to the government of Russia, it is not to be confused with APT29/Cozy Bear/Duke, which is another group attributed to Russia. APT29/Cozy Bear/Duke has been in operation since 2008. Previous attacks attributed to this threat actor have been against various companies, governmental agencies, research institutions, non-governmental organizations, and think tanks across multiple countries. Other high profile attacks attributed to this group are the attacks on the United States Pentagon in 2015, the Democratic National Committee (DNC) email leaks in 2016, and various United States think tanks and NGOs in 2017. Both groups rely on spearphishing attacks.
What Operating Systems are Affected?
Windows based operating systems.
What is the Severity of Impact?
The severity should be regarded as medium. This is due to the lack of specifics related to observed, in the wild attacks.
Any Suggested Mitigations?
FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. If it is deemed that patching is not feasible, it is recommended that a risk assessment is conducted to determine additional mitigation safeguards within an environment.
In the meantime, organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.
What is the Status of AV and IPS Coverage?
FortiGuard Labs has AV coverage in place for publicly available samples as:
W32/Zebrocy.A!tr
