Thursday, July 25, 2024
EHA

Fancy Bear APT Hackers Owned Zebrocy Malware Opens Backdoor on Victims Machine to Control it Remotely

Cybercriminals from Sednit group, also known as Fancy Bear, APT28, Sofacy launching new Zebrocy Malware that indented to open backdoor on the targeted machine to gain the remote access.

The sednit hacking group operates since 2004, the threat operators from this group employed a verity of hacking tools to perform its espionage operations.

Researchers from ESET believes that the Sednit group unleashed new components that target victims in various countries in the Middle East and Central Asia in 2015. Since then, the number and diversity of components have increased drastically.

Unlike other malware, Threat actors from Sednit group launched a spearphishing email campaign along with shortening URL using Bitly to delivery the first stage of malware, which is pretty unusual.

Credits :ESET

Based on ESET telemetry data, the URL is being delivered through the spearphishing Email, and the link is IP based which holding the archive payload in background.

Zebrocy Malware infection Process

Archived payload contains two files, in which, the first file indicate the malicious executable and the second file holding the weaponized PDF file.

Once the victims click the file, the binary will be executed, and it promotes the user to enter the password; eventually, PDF will open after the validation attempt.

PDF documents appeared to be empty, but the downloader start its malicious process in the background which is written in Delphi, and this first stage of the downloader will download another new downloader and execute it.

According to ESET, Once again this downloader is as straightforward as the Zebrocy gang’s other downloaders. It creates an ID and it downloads a new, interesting backdoor, (this time) written in Delphi.”

Later this backdoor will reside in the resource session and is split into four different hex-encoded, encrypted blobs.

Once the backdoor takes the system control, it sends necessary information about its newly compromised system. Later the operators take control of the backdoor and start to send commands right away.

There are some of the first set of commands that utilize the information about the victim’s computer and environment.

CommandsArguments
SCREENSHOTNone
SYS_INFONone
GET_NETWORKNone
SCAN_ALLNone

“The commands above are commonly executed when the operators first connect to a newly activated backdoor. They don’t have any arguments, and they are quite self-explanatory. Other commands commonly seen executed shortly after these backdoors are activated”, listed below:

CommandsArguments
REG_GET_KEYS_VALUESHKEY_CURRENT_USER 
Software\Microsoft\Windows\CurrentVersion
DOWNLOAD_DAY(30)c:\*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg;*.jpeg; *.bmp;*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*

d:\*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg;*.
DOWNLOAD_DAY(1)
c:\*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg*

d:\*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg*
CMD_EXECUTEecho %APPDATA%
ipconfig /all
netstat -aon
CMD_EXECUTEwmic process get Caption,ExecutablePath
reg query
“HKCU\Software\Microsoft\Windows\CurrentVersion\Run” /s

The interesting part is that the threat actors also deploy the custom backdoor on the victim’s machine, and they use COM object hijacking to make the malware persistent on the system.

But unfortunately, researchers are unclear what was the purpose of this custom backdoor and also it is living a short time in the system. Later threat actors quickly remove it once they complete the task.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Read More:

MuddyWater APT’s BlackWater Malware Campaign Install Backdoor on Victims PC to Gain Remote Access & Evade Detection

Website

Latest articles

ShadowRoot Ransomware Attacking Organizations With Weaponized PDF Documents

A rudimentary ransomware targets Turkish businesses through phishing emails with ".ru" domain sender addresses....

BreachForumsV1 Database Leaked: Private messages, Emails & IP Exposed

BreachForumsV1, a notorious online platform for facilitating illegal activities, has reportedly suffered a massive...

250 Million Hamster Kombat Players Targeted Via Android And Windows Malware

Despite having simple gameplay, the new Telegram clicker game Hamster Kombat has become very...

Beware Of Malicious Python Packages That Steal Users Sensitive Data

Malicious Python packages uploaded by "dsfsdfds" to PyPI infiltrated user systems by exfiltrating sensitive...

Chinese Hackers Using Shared Framework To Create Multi-Platform Malware

Shared frameworks are often prone to hackers' abuses as they have been built into...

BlueStacks Emulator For Windows Flaw Exposes Millions Of Gamers To Attack

A significant vulnerability was discovered in BlueStacks, the world's fastest Android emulator and cloud...

Google Chrome 127 Released with a fix for 24 Security Vulnerabilities

Google has unveiled the latest version of its Chrome browser, Chrome 127, which is...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles