Saturday, December 14, 2024
HomeBackdoorFancy Bear APT Hackers Owned Zebrocy Malware Opens Backdoor on Victims Machine...

Fancy Bear APT Hackers Owned Zebrocy Malware Opens Backdoor on Victims Machine to Control it Remotely

Published on

SIEM as a Service

Cybercriminals from Sednit group, also known as Fancy Bear, APT28, Sofacy launching new Zebrocy Malware that indented to open backdoor on the targeted machine to gain the remote access.

The sednit hacking group operates since 2004, the threat operators from this group employed a verity of hacking tools to perform its espionage operations.

Researchers from ESET believes that the Sednit group unleashed new components that target victims in various countries in the Middle East and Central Asia in 2015. Since then, the number and diversity of components have increased drastically.

- Advertisement - SIEM as a Service

Unlike other malware, Threat actors from Sednit group launched a spearphishing email campaign along with shortening URL using Bitly to delivery the first stage of malware, which is pretty unusual.

Credits :ESET

Based on ESET telemetry data, the URL is being delivered through the spearphishing Email, and the link is IP based which holding the archive payload in background.

Zebrocy Malware infection Process

Archived payload contains two files, in which, the first file indicate the malicious executable and the second file holding the weaponized PDF file.

Once the victims click the file, the binary will be executed, and it promotes the user to enter the password; eventually, PDF will open after the validation attempt.

PDF documents appeared to be empty, but the downloader start its malicious process in the background which is written in Delphi, and this first stage of the downloader will download another new downloader and execute it.

According to ESET, Once again this downloader is as straightforward as the Zebrocy gang’s other downloaders. It creates an ID and it downloads a new, interesting backdoor, (this time) written in Delphi.”

Later this backdoor will reside in the resource session and is split into four different hex-encoded, encrypted blobs.

Once the backdoor takes the system control, it sends necessary information about its newly compromised system. Later the operators take control of the backdoor and start to send commands right away.

There are some of the first set of commands that utilize the information about the victim’s computer and environment.

CommandsArguments
SCREENSHOTNone
SYS_INFONone
GET_NETWORKNone
SCAN_ALLNone

“The commands above are commonly executed when the operators first connect to a newly activated backdoor. They don’t have any arguments, and they are quite self-explanatory. Other commands commonly seen executed shortly after these backdoors are activated”, listed below:

CommandsArguments
REG_GET_KEYS_VALUESHKEY_CURRENT_USER 
Software\Microsoft\Windows\CurrentVersion
DOWNLOAD_DAY(30)c:\*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg;*.jpeg; *.bmp;*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*

d:\*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg;*.
DOWNLOAD_DAY(1)
c:\*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg*

d:\*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg*
CMD_EXECUTEecho %APPDATA%
ipconfig /all
netstat -aon
CMD_EXECUTEwmic process get Caption,ExecutablePath
reg query
“HKCU\Software\Microsoft\Windows\CurrentVersion\Run” /s

The interesting part is that the threat actors also deploy the custom backdoor on the victim’s machine, and they use COM object hijacking to make the malware persistent on the system.

But unfortunately, researchers are unclear what was the purpose of this custom backdoor and also it is living a short time in the system. Later threat actors quickly remove it once they complete the task.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Read More:

MuddyWater APT’s BlackWater Malware Campaign Install Backdoor on Victims PC to Gain Remote Access & Evade Detection

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

Antidot Malware Attacking Employees Android Devices To Inject Malicious Payloads

Researchers discovered a new variant of the AntiDot banking trojan targeting Android mobile devices...

Malicious ESLint Package Let Attackers Steal Data And Inject Remote Code

Cybercriminals exploited typosquatting to deploy a malicious npm package, `@typescript_eslinter/eslint`, targeting developers seeking the...