A new delivery method has been added to the delivery tactics of Zebrocy malware by its authors.
The latest versions of Zebrocy malware have been analyzed by researchers and discovered that the malware operators, APT28, have chosen the Golang language instead of any earlier used programming languages, such as Delphi, AutoIT, C++, C#, Delphi, and VB.NET.
- A VHD file containing a PDF document and an executable file masquerading as a Microsoft Word document, which actually contained the Zebrocy malware has been observed by researchers.
- Some antivirus search engines are tricked from detecting the generic malware by using a VHD file to hide the malware successfully.
- COVID-19 vaccine-themed phishing lures embedded with malware-laden documents about Sinopharm International Corporation were used by threat actors for its distribution.
The US Cyber Command along with the CISA and the FBI had exposed two samples of the Zebrocy malware in November that were used by the APT28 hacking group, describing Zebrocy’s inner workings.
Recent Zebrocy campaigns by APT28
- Only towards the end of September this year, it was disclosed that the APT28 group was delivering the Zebrocy Delphi version using NATO’s upcoming training as a lure to target a specific government body in Azerbaijan.
- Similar campaigns were conducted by the Russian-speaking threat actor APT28, with the Delphi variant of the Zebrocy toolset since at least August.
The rapid evolution and constant progress of the Zebrocy malware demonstrate the threat actor’s proficiency in obfuscation and delivery techniques. Additionally, the use of current topics makes it a potent threat.
Consequently, our internal experts suggest that organizations use defense-in-depth strategies for the prevention of such threats.
To read more, please check eScan Blog
