Russian APT28 Hackers Uses COVID-19 Lures to Deliver Zebrocy Malware via VHD File

The security firm Intezer revealed COVID-19 phishing lures that were used to deliver the Go version of Zebrocy. Zebrocy is mainly used against governments and commercial organizations engaged in foreign affairs.

The lure consisted of the document about Sinopharm International Corporation, a pharmaceutical company that COVID-19 vaccine is currently going through phase three clinical tests.

While many COVID-19 vaccines are close to being approved for clinical use, likely, APTs (Advanced Persistent Threat) and financially motivated threat actors will use this malware in their attacks.

Zebrocy Malware via VHD File

Zebrocy is a malware used by the threat group Sofacy, also referred to as Sednit, APT28, Fancy Bear, and STRONTIUM. Sofacy was one of the groups indicated by the Department of Justice (DOJ) for the compromise of the Democratic National Committee (DNC).

Zebrocy functions as a downloader and collects information about the infected host that is uploaded to the command and control (C&C) server before downloading and executing the subsequent stage.

The first version of the downloader was written in Delphi and was based on a previous malware used by Sofacy. Zebrocy samples written in AutoIT, C++, C#, Delphi, Go, and VB.NET have been discovered by the research community.

The delivery of Zebrocy is usually via a spear-phishing email. The email includes Microsoft Office documents or archive files.

Technical Analysis

Intezer discovered a Virtual Hard Drive (VHD) file named 30-22-243.vhd that was uploaded from Azerbaijan to VirusTotal scanning platform. VHD is the native file format for virtual hard drives used by Microsoft’s hypervisor, Hyper-V. Windows 10 has native support for the file format and allows the user to mount the file and access its content.

If the user double-clicks on the file, Windows will mount the drive and it appears as an external hard drive (as shown in figure 2).

Content of the VHD file

It contains two files: A PDF file and an executable that is hidden as a Microsoft Word document. The researchers observed the PDF file consists of presentation slides about Sinopharm International Corporation.

“The threat group behind Zebrocy is using COVID-19-themed related lures when many vaccines are about to get approved for use. The group is known to use current events as part of their phishing lures”, says the Intezer report.

Intezer’s security researchers discovered another Go version of Zebrocy, used in previous attacks, as well as a second VHD file that was uploaded to VirusTotal in October, and which was dropping the Delphi version of the malware. The PDF lure in this file was written in Russian.

Final Word

“With these recent phishing lures, it’s clear that COVID-19 themed attacks are still a threat and we might see more as vaccines become available to the general public. Companies must use defense-in-depth strategies to protect against threats. Employers should also ensure employees are trained on detecting and reacting to phishing attempts,” Intezer concludes.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Also Read

The Importance of Cybersecurity in The Post-COVID-19 World

Hackers Using COVID-19 Training Lure to Attack Office 365 Users

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Researchers Uncover Hacking Tools and Techniques Shared on Russian-Speaking Cybercrime Forums

Trend Micro, a cybersecurity firm, has released its 50th installment report on the Russian-speaking cybercriminal…

3 hours ago

SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool

The Pakistan-linked Advanced Persistent Threat (APT) group known as SideCopy has significantly expanded its targeting…

4 hours ago

Russian APT Hackers Use Device Code Phishing Technique to Bypass MFA

Russian state-backed advanced persistent threat (APT) group Storm-2372 has exploited device code phishing to bypass…

4 hours ago

Threat Actors Exploit Messaging Services as Lucrative Cybercrime Platforms

Threat actors are exploiting weaknesses in SMS verification systems to generate massive, fraudulent message traffic,…

5 hours ago

Scattered Spider Launches Sophisticated Attacks to Steal Login Credentials and MFA Tokens

The cyber threat landscape has witnessed remarkable adaptation from the notorious hacker collective known as…

5 hours ago

North Korean Hackers Use Social Engineering and Python Scripts to Execute Stealthy Commands

North Korean threat actors have demonstrated their adept use of social engineering techniques combined with…

5 hours ago