Sofacy’s First-Stage Malware Zebrocy Analyzed
ESET security researchers have taken a deep dive into one of the tools heavily used by the Russian threat actor Sofacy over the past couple of years.
Dubbed Zebrocy, the tool serves as a first-stage malware in attacks and is comprised of a Delphi downloader, an AutoIt downloader and a Delphi backdoor. Used in multiple attacks, the malicious program often acts as a downloader for the actor’s main backdoor, Xagent.
Also referred to as APT28, Fancy Bear, Pawn Storm, Sednit, and Strontium, and active since around 2007, the group is focused on cyber espionage and has hit government, military, and defense organizations worldwide.
Supposedly the actor behind attacks targeting the 2016 presidential election in the United States, Sofacy has been known to target Ukraine and NATO countries, and has recently switched focus to targets in Asia.
Coexisting with another Sofacy first-stage tool, Seduploader, the Zebrocy malware has been used in attacks against victims in Azerbaijan, Bosnia and Herzegovina, Egypt, Georgia, Iran, Kazakhstan, Korea, Kyrgyzstan, Russia, Saudi Arabia, Serbia, Switzerland, Tajikistan, Turkey, Turkmenistan, Ukraine, Uruguay and Zimbabwe, ESET reveals.
Zebrocy is usually delivered via emails carrying malicious attachments and users are lured into opening them. These are either Microsoft Office documents that deliver the payload via VBA macros, exploits, or Dynamic Data Exchange (DDE), or archives containing executables with an icon and a document-like filename.
Once the malicious attachment is executed, the first stage of the Zebrocy family is delivered: a Delphi downloader (in some attacks the AutoIt stage was used directly). The downloader is usually masked using document or Windows library icons and some samples are packed with UPX.
When launched, the malware displays a splash window with a bogus error message to distract the user. In the background, however, the malware drops a file under %TEMP% and adds a Windows registry to achieve persistence. It also gathers information on the compromised system and sends it to the command and control (C&C) server via a HTTP POST request.
If the target is considered of interest, the C&C responds with the next stage, the AutoIt downloader, which acts as another layer of the reconnaissance phase. Packing all of the functionality of the Delphi downloader and even more, the AutoIt downloader is sometimes used as the first stage instead.
The tool can detect sandbox and virtual environments and retrieve system information such as: a list of installed software, Windows version (32-bit or 64-bit), process list, hard drive information, and screenshots, along with various details about the computer, gathered using Windows Management Instrumentation (WMI) objects.
The Delphi backdoor, which is the last stage of the Zebrocy chain of components, has an internal versioning number, unrelated to the campaign it is used in. It embeds configuration data such as: AES keys for C&C communication, URLs, malware version, persistence windows registry key/value, path to store temporary files, and the names of hidden directories to be created to store temporary files.
Once set up, the malware executes callback functions via the Windows API function SetTimer, allowing the attackers to handle features and commands: take a screenshot of the desktop, capture keystrokes, list drives/network resources, read/write into Windows registry, copy/move/delete a file system object, and execute files or create scheduled tasks.
The backdoor supports around 30 commands, which differ from one version to another. For communication purposes, the malware stores the report of these functions on a temp file, then reds the file content and sends it to the C&C.
Zebrocy might be the successor of another malware components written in Delphi that Sofacy is known have used, namely Downdelph. The tool was last seen in September 2015, two months before Zebrocy emerged and both malware families also use a similar deployment method, the researchers note.
“We have seen Zebrocy being heavily used by the Sednit group over the last two years. Our analysis of the many new variants that appeared on a regular basis since 2017 clearly indicates that Zebrocy is being actively maintained and improved by its author(s). We can consider it as one of the stable, mature tools in Sednit’s arsenal, a tool that deserves to be monitored closely,” ESET concludes.