While Zebrocy was first reported by Kaspersky Labs as part of APT Trends report in 2017, the Russian threat actors are known for its malware campaigns leveraging on phishing lures, to deliver the Zebrocy malware.
Now, the most recent operation of APT28, according to cybersecurity firm Intezer, is the COVID-19 themed phishing emails employed to deliver the "Golang" version of Zebrocy malware. Albeit, Zebrocy was written in Delphi (called Delphocy) originally, but it has since been replicated in over a dozen other languages, including C++, C#, AutoIT, Go, Python, and VB.NET.
How APT28 Hackers are using COVID-19 Lure to deliver Zebrocy Malware?
Zebrocy malware was mainly employed against governments and organizations engaged in foreign affairs, and the recent malware campaigns are yet another such cyberattack leveraging COVID-19 as a phishing lure, indicating how attackers are repurposing the current world events to their nefarious advantage.
Intezer researchers discovered a Virtual Hard Drive (VHD) file named 30-22-243.vhd which was uploaded from Azerbaijan to VirusTotal. And as VHD is the native file format for VHD used by Microsoft’s Hyper-V, with Windows 10 having native support for the file format and allowing users to mount the file and access its content.
According to the timestamps stored in the file, the disk was created on November 20, 2020, about 10 days before it was uploaded to VirusTotal.
And Windows hides known file extensions by default, which means users can be tricked into believing it’s a Word document. The fact is that only a handful of the 70 antivirus engines were able to detect the file as generic malware, while Intezer Analyze, pinpoints the file as malware associated with Sofacy.
How to Mitigate against the Zebrocy malware
The Zebrocy backdoor has also caught the attention of the US Cybersecurity and Infrastructure Security Agency (CISA), and the later released an advisory cautioning that the malware is "designed to allow a remote operator to perform various functions on the compromised system."
Therefore, CISA recommends that Windows users should exercise caution when using removable media and opening emails with attachments from unknown senders, and the scanning for suspicious email attachments to ensure the extension of the scanned attachment matches the file header.