Russian APT28 Hackers Uses COVID-19 Lures to Deliver Zebrocy Malware via VHD File

The security firm Intezer revealed COVID-19 phishing lures that were used to deliver the Go version of Zebrocy. Zebrocy is mainly used against governments and commercial organizations engaged in foreign affairs.

The lure consisted of the document about Sinopharm International Corporation, a pharmaceutical company that COVID-19 vaccine is currently going through phase three clinical tests.

While many COVID-19 vaccines are close to being approved for clinical use, likely, APTs (Advanced Persistent Threat) and financially motivated threat actors will use this malware in their attacks.

Zebrocy Malware via VHD File

Zebrocy is a malware used by the threat group Sofacy, also referred to as Sednit, APT28, Fancy Bear, and STRONTIUM. Sofacy was one of the groups indicated by the Department of Justice (DOJ) for the compromise of the Democratic National Committee (DNC).

Zebrocy functions as a downloader and collects information about the infected host that is uploaded to the command and control (C&C) server before downloading and executing the subsequent stage.

The first version of the downloader was written in Delphi and was based on a previous malware used by Sofacy. Zebrocy samples written in AutoIT, C++, C#, Delphi, Go, and VB.NET have been discovered by the research community.

The delivery of Zebrocy is usually via a spear-phishing email. The email includes Microsoft Office documents or archive files.

Technical Analysis

Intezer discovered a Virtual Hard Drive (VHD) file named 30-22-243.vhd that was uploaded from Azerbaijan to VirusTotal scanning platform. VHD is the native file format for virtual hard drives used by Microsoft’s hypervisor, Hyper-V. Windows 10 has native support for the file format and allows the user to mount the file and access its content.

If the user double-clicks on the file, Windows will mount the drive and it appears as an external hard drive (as shown in figure 2).

Content of the VHD file

It contains two files: A PDF file and an executable that is hidden as a Microsoft Word document. The researchers observed the PDF file consists of presentation slides about Sinopharm International Corporation.

“The threat group behind Zebrocy is using COVID-19-themed related lures when many vaccines are about to get approved for use. The group is known to use current events as part of their phishing lures”, says the Intezer report.

Intezer’s security researchers discovered another Go version of Zebrocy, used in previous attacks, as well as a second VHD file that was uploaded to VirusTotal in October, and which was dropping the Delphi version of the malware. The PDF lure in this file was written in Russian.

Final Word

“With these recent phishing lures, it’s clear that COVID-19 themed attacks are still a threat and we might see more as vaccines become available to the general public. Companies must use defense-in-depth strategies to protect against threats. Employers should also ensure employees are trained on detecting and reacting to phishing attempts,” Intezer concludes.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Also Read

The Importance of Cybersecurity in The Post-COVID-19 World

Hackers Using COVID-19 Training Lure to Attack Office 365 Users

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

CISA Warns of Palo Alto Networks PAN-OS Vulnerability Exploited in Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert on a…

12 hours ago

US Treasury Department Breach, Hackers Accessed Workstations

The Biden administration confirmed that a Chinese state-sponsored hacking group breached the U.S. Treasury Department,…

14 hours ago

TrueNAS CORE Vulnerability Let Attackers Execute Remote Code

Security researchers Daan Keuper, Thijs Alkemade, and Khaled Nassar from Computest Sector 7 disclosed a…

18 hours ago

New Botnet Exploiting D-Link Routers To Gain Control Remotely

Researchers observed a recent surge in activity from the "FICORA" and "CAPSAICIN," both variants of…

1 day ago

Hackers Weaponize Websites With LNK File To Deliver Weaponized LZH File

The watering hole attack leverages a compromised website to deliver malware. When a user visits…

1 day ago

NFS Protocol Security Bypassed To Access Files From Remote Server

The NFS protocol offers authentication methods like AUTH_SYS, which relies on untrusted user IDs, and…

1 day ago