Published on May 27th, 2019 📆 | 7213 Views ⚑
0Fancy Bear APT Hackers Owned Zebrocy Malware Opens Backdoor
Cybercriminals from Sednit group, also known as Fancy Bear, APT28, Sofacy launching new Zebrocy Malware that indented to open backdoor on the targeted machine to gain the remote access.
The sednit hacking group operates since 2004, the threat operators from this group employed a verity of hacking tools to perform its espionage operations.
Researchers from ESET believes that the Sednit group unleashed new components that target victims in various countries in the Middle East and Central Asia in 2015. Since then, the number and diversity of components have increased drastically.
Unlike other malware, Threat actors from Sednit group launched a spearphishing email campaign along with shortening URL using Bitly to delivery the first stage of malware, which is pretty unusual.
Based on ESET telemetry data, the URL is being delivered through the spearphishing Email, and the link is IP based which holding the archive payload in background.
Zebrocy Malware infection Process
Archived payload contains two files, in which, the first file indicate the malicious executable and the second file holding the weaponized PDF file.
Once the victims click the file, the binary will be executed, and its promote user to enter the password; eventually, PDF will open after the validation attempt.
PDF documents appeared to be empty, but the downloader start its malicious process in the background which is written in Delphi, and his first stage of the downloader will download another new downloader and execute it.
According to ESET, Once again this downloader is as straightforward as the Zebrocy gangâs other downloaders. It creates an ID and it downloads a new, interesting backdoor, (this time) written in Delphi.â
Later this backdoor will reside in the resource session and is split into four different hex-encoded, encrypted blobs.
Once the backdoor takes the system control, it sends necessary information about its newly compromised system, the operators take control of the backdoor and start to send commands right away.
There are some of the first set of the command that utilize the information about the victimâs computer and environment.
Commands | Arguments |
---|---|
SCREENSHOT | None |
SYS_INFO | None |
GET_NETWORK | None |
SCAN_ALL | None |
âThe commands above are commonly executed when the operators first connect to a newly activated backdoor. They donât have any arguments, and they are quite self-explanatory. Other commands commonly seen executed shortly after these backdoors are activatedâ, listed below:
Commands | Arguments |
---|---|
REG_GET_KEYS_VALUES | HKEY_CURRENT_USERÂ SoftwareMicrosoftWindowsCurrentVersion |
DOWNLOAD_DAY(30) | c:*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg;*.jpeg; *.bmp;*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*
d:*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg;*. |
DOWNLOAD_DAY(1) | c:*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg*
d:*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg* |
CMD_EXECUTE | echo %APPDATA% ipconfig /all netstat -aon |
CMD_EXECUTE | wmic process get Caption,ExecutablePath reg query âHKCUSoftwareMicrosoftWindowsCurrentVersionRunâ /s |
The interesting part is that the threat actors also deploy the custom backdoor on the victimâs machine, and they use COM object hijacking to make the malware persistent on the system.
But unfortunately, researchers unclear what the purpose of this custom backdoor and also it living a short time in the system. Later threat actors quickly remove it once they complete the task.
You can Download Free E-book to learn about complete Enterprise Security Implementation & Mitigation Steps â Download Free-Ebook Here.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.
Read More:
MuddyWater APTâs BlackWater Malware Campaign Install Backdoor on Victims PC to Gain Remote Access & Evade Detection
Gloss