Russian APT28 Hackers Uses COVID-19 Lures to Deliver Zebrocy Malware via VHD File

The security firm Intezer revealed COVID-19 phishing lures that were used to deliver the Go version of Zebrocy. Zebrocy is mainly used against governments and commercial organizations engaged in foreign affairs.

The lure consisted of the document about Sinopharm International Corporation, a pharmaceutical company that COVID-19 vaccine is currently going through phase three clinical tests.

While many COVID-19 vaccines are close to being approved for clinical use, likely, APTs (Advanced Persistent Threat) and financially motivated threat actors will use this malware in their attacks.

Zebrocy Malware via VHD File

Zebrocy is a malware used by the threat group Sofacy, also referred to as Sednit, APT28, Fancy Bear, and STRONTIUM. Sofacy was one of the groups indicated by the Department of Justice (DOJ) for the compromise of the Democratic National Committee (DNC).

Zebrocy functions as a downloader and collects information about the infected host that is uploaded to the command and control (C&C) server before downloading and executing the subsequent stage.

The first version of the downloader was written in Delphi and was based on a previous malware used by Sofacy. Zebrocy samples written in AutoIT, C++, C#, Delphi, Go, and VB.NET have been discovered by the research community.

The delivery of Zebrocy is usually via a spear-phishing email. The email includes Microsoft Office documents or archive files.

Technical Analysis

Intezer discovered a Virtual Hard Drive (VHD) file named 30-22-243.vhd that was uploaded from Azerbaijan to VirusTotal scanning platform. VHD is the native file format for virtual hard drives used by Microsoft’s hypervisor, Hyper-V. Windows 10 has native support for the file format and allows the user to mount the file and access its content.

If the user double-clicks on the file, Windows will mount the drive and it appears as an external hard drive (as shown in figure 2).

Content of the VHD file

It contains two files: A PDF file and an executable that is hidden as a Microsoft Word document. The researchers observed the PDF file consists of presentation slides about Sinopharm International Corporation.

“The threat group behind Zebrocy is using COVID-19-themed related lures when many vaccines are about to get approved for use. The group is known to use current events as part of their phishing lures”, says the Intezer report.

Intezer’s security researchers discovered another Go version of Zebrocy, used in previous attacks, as well as a second VHD file that was uploaded to VirusTotal in October, and which was dropping the Delphi version of the malware. The PDF lure in this file was written in Russian.

Final Word

“With these recent phishing lures, it’s clear that COVID-19 themed attacks are still a threat and we might see more as vaccines become available to the general public. Companies must use defense-in-depth strategies to protect against threats. Employers should also ensure employees are trained on detecting and reacting to phishing attempts,” Intezer concludes.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Also Read

The Importance of Cybersecurity in The Post-COVID-19 World

Hackers Using COVID-19 Training Lure to Attack Office 365 Users

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Firefox 133.0 Released with Multiple Security Updates – What’s New!

Mozilla has officially launched Firefox 133.0, offering enhanced features, significant performance improvements, and critical security…

1 hour ago

RomCom Hackers Exploits Windows & Firefox Zero-Day in Advanced Cyberattacks

In a new wave of cyberattacks, the Russia-aligned hacking group "RomCom" has been found exploiting…

10 hours ago

Chinese APT Hackers Using Multiple Tools And Vulnerabilities To Attack Telecom Orgs

Earth Estries, a Chinese APT group, has been actively targeting critical sectors like telecommunications and…

12 hours ago

200,000 WordPress Sites Exposed to Cyber Attack, Following Plugin Vulnerability

A critical security vulnerability has been discovered in the popular WordPress plugin Anti-Spam by CleanTalk, which…

17 hours ago

Beware Of SpyLoan Apps Exploits Social Engineering To Steal User Data

SpyLoan apps, a type of PUP, are rapidly increasing, exploiting social engineering to deceive users…

19 hours ago

Researchers Detailed Tools Used By Hacktivists Fueling Ransomware Attacks

CyberVolk, a politically motivated hacktivist group, has leveraged readily available ransomware builders like AzzaSec, Diamond,…

19 hours ago