Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Dissect Tool Used by Infamous Russian Hacker Group

Sofacy’s First-Stage Malware Zebrocy Analyzed

ESET security researchers have taken a deep dive into one of the tools heavily used by the Russian threat actor Sofacy over the past couple of years.

Sofacy’s First-Stage Malware Zebrocy Analyzed

ESET security researchers have taken a deep dive into one of the tools heavily used by the Russian threat actor Sofacy over the past couple of years.

Dubbed Zebrocy, the tool serves as a first-stage malware in attacks and is comprised of a Delphi downloader, an AutoIt downloader and a Delphi backdoor. Used in multiple attacks, the malicious program often acts as a downloader for the actor’s main backdoor, Xagent.

Also referred to as APT28, Fancy Bear, Pawn Storm, Sednit, and Strontium, and active since around 2007, the group is focused on cyber espionage and has hit government, military, and defense organizations worldwide.

Supposedly the actor behind attacks targeting the 2016 presidential election in the United States, Sofacy has been known to target Ukraine and NATO countries, and has recently switched focus to targets in Asia.

Coexisting with another Sofacy first-stage tool, Seduploader, the Zebrocy malware has been used in attacks against victims in Azerbaijan, Bosnia and Herzegovina, Egypt, Georgia, Iran, Kazakhstan, Korea, Kyrgyzstan, Russia, Saudi Arabia, Serbia, Switzerland, Tajikistan, Turkey, Turkmenistan, Ukraine, Uruguay and Zimbabwe, ESET reveals.

Zebrocy is usually delivered via emails carrying malicious attachments and users are lured into opening them. These are either Microsoft Office documents that deliver the payload via VBA macros, exploits, or Dynamic Data Exchange (DDE), or archives containing executables with an icon and a document-like filename.

Once the malicious attachment is executed, the first stage of the Zebrocy family is delivered: a Delphi downloader (in some attacks the AutoIt stage was used directly). The downloader is usually masked using document or Windows library icons and some samples are packed with UPX.

Advertisement. Scroll to continue reading.

When launched, the malware displays a splash window with a bogus error message to distract the user. In the background, however, the malware drops a file under %TEMP% and adds a Windows registry to achieve persistence. It also gathers information on the compromised system and sends it to the command and control (C&C) server via a HTTP POST request.

If the target is considered of interest, the C&C responds with the next stage, the AutoIt downloader, which acts as another layer of the reconnaissance phase. Packing all of the functionality of the Delphi downloader and even more, the AutoIt downloader is sometimes used as the first stage instead.

The tool can detect sandbox and virtual environments and retrieve system information such as: a list of installed software, Windows version (32-bit or 64-bit), process list, hard drive information, and screenshots, along with various details about the computer, gathered using Windows Management Instrumentation (WMI) objects.

The Delphi backdoor, which is the last stage of the Zebrocy chain of components, has an internal versioning number, unrelated to the campaign it is used in. It embeds configuration data such as: AES keys for C&C communication, URLs, malware version, persistence windows registry key/value, path to store temporary files, and the names of hidden directories to be created to store temporary files.

Once set up, the malware executes callback functions via the Windows API function SetTimer, allowing the attackers to handle features and commands: take a screenshot of the desktop, capture keystrokes, list drives/network resources, read/write into Windows registry, copy/move/delete a file system object, and execute files or create scheduled tasks.

The backdoor supports around 30 commands, which differ from one version to another. For communication purposes, the malware stores the report of these functions on a temp file, then reds the file content and sends it to the C&C.

Zebrocy might be the successor of another malware components written in Delphi that Sofacy is known have used, namely Downdelph. The tool was last seen in September 2015, two months before Zebrocy emerged and both malware families also use a similar deployment method, the researchers note.

“We have seen Zebrocy being heavily used by the Sednit group over the last two years. Our analysis of the many new variants that appeared on a regular basis since 2017 clearly indicates that Zebrocy is being actively maintained and improved by its author(s). We can consider it as one of the stable, mature tools in Sednit’s arsenal, a tool that deserves to be monitored closely,” ESET concludes.

Related: Sofacy Attacks Overlap With Other State-Sponsored Operations


Related: Russian Cyberspies Shift Focus From NATO Countries to Asia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.