Russian Cyberspies Use COVID-19 Vaccine Lures to Deliver Malware

The Russia-linked cyberspy group known as Zebrocy has adopted COVID-19 vaccine-related lures in a recently observed phishing campaign, threat detection and response company Intezer reported on Wednesday.

Initially detailed in 2018, Zebrocy is believed to be associated with the infamous Russian state-sponsored hacking group Sofacy (also tracked as APT28, Fancy Bear, Pawn Storm, Sednit, and Strontium).

In September 2020, QuoINT security researchers revealed that Zebrocy attacks on countries associated with the North Atlantic Treaty Organization (NATO) had continued. One month later, the United States Cyber Command (USCYBERCOM) shared new malware samples associated with the group.

In November, Intezer’s security researchers observed Zebrocy phishing emails carrying lure documents about Chinese pharmaceutical company Sinopharm International Corporation, which has reached phase three clinical trials for a COVID-19 vaccine.

The documents were served as part of a Virtual Hard Drive (VHD) file that required Windows 10 to be opened without Microsoft’s hypervisor, Hyper-V. The employed malware was heavily obfuscated, the researchers say.

Initially, the adversary delivered the Zebrocy malware’s Delphi variant to the victims, but in mid-November the attackers switched to using the Go version instead.

First used in 2015, the Zebrocy malware functions as a downloader, but is also capable of collecting and exfiltrating information from the infected systems before fetching and executing a next stage payload.

The Delphi version of the malware was the first to be used in attacks, with AutoIT, C++, C#, Delphi, Go, and VB.NET samples discovered afterwards. To date, Zebrocy has been observed mainly in attacks targeting governments and commercial organizations in a large number of countries in Europe, Asia, Africa, and the Middle East.

The VHD file used in the recent attacks appears to have been created on November 20, 2020. It includes a PDF document (containing presentation slides about Sinopharm International Corporation) and an executable posing as a Word document.

The Chinese company referenced in the PDF has been working on a COVID-19 vaccine. Currently in phase three clinical trials, the vaccine has already been given to approximately one million people.

“It may not come as a surprise that the threat group behind Zebrocy is using COVID-19-themed related lures when many vaccines are about to get approved for use. The group is known to use current events as part of their phishing lures,” Intezer points out.

The second file, the Go version of Zebrocy, collects information such as hostname and the path to the TEMP folder and sends it to the command and control (C&C) server. It also includes screenshot functionality, which the author has implemented directly into it, instead of relying on an external library. Screenshots are uploaded to the C&C, which may respond with the next stage payload.

During their investigation, Intezer’s security researchers discovered another Go version of Zebrocy, used in previous attacks, as well as a second VHD file that was uploaded to VirusTotal in October, and which was dropping the Delphi version of the malware. The PDF lure in this file was written in Russian.

“With these recent phishing lures, it’s clear that COVID-19 themed attacks are still a threat and we might see more as vaccines become available to the general public. It’s important that companies use defense-in-depth strategies to protect against threats. Employers should also ensure employees are trained on detecting and reacting to phishing attempts,” Intezer concludes.

Related: FBI, NSA Share Details on New ‘Drovorub’ Linux Malware Used by Russia

Related: Russia Denies Microsoft Claims of Healthcare Cyber Attacks

Related: U.S. Hospitals Warned of Imminent Ransomware Attacks From Russia