Zebrocy Malware Laced Phishing Email Threat Intel Advisory

December 19, 2020
min read
Malware Intelligence
Threat Actor 

Sofacy, Sednit, Fancy Bear, STRONTIUM 

Target Platform


APT28 (also known as Fancy Bear, Sofacy, Sednit, STRONTIUM) was discovered using the malware Zebrocy as part of their new COVID-19 campaign targeting Government agencies and commercial organization of the following nations:

  • Afghanistan
  • Azerbaijan
  • Zimbabwe
  • China
  • Japan
  • Kazakhstan
  • Egypt
  • Georgia
  • Iran
  • Korea
  • Kyrgyzstan
  • Mongolia
  • Russia
  • Saudi Arabia
  • Serbia
  • Switzerland
  • Tajikistan
  • Turkey
  • Turkmenistan
  • Ukraine
  • Uruguay
  • Bosnia and Herzegovina

Zebrocy is a sub-group that helps APT groups like Sofacy with victim profiling and access. The malware that the group delivers, dubbed Zebrocy, initiates the campaign by sending out phishing emails with malicious attachments, masquerading as the latest research by Sinopharm International Corporation on COVID-19. The actors also pose as officials from Directorate General of Civil Aviation, India.


Trojanized DGCA Documents in VHD
Trojanized DGCA Documents in VHD

The malicious email usually contains a Virtual Hard Disk (VHD), which can only be accessed in Windows 10. The VHD includes the following files: 

  • PDF of Sinopharm International Corporation’s latest research on COVID-19
  • Word document that contains the Zebrocy malware
Trojanized Sinopharm Document in VHD
Trojanized Sinopharm Document in VHD

The malware launches a backdoor and a downloader. Zebrocy is armed with these functionalities :

  • Collect system information and send them to the C&C server.
  • Manipulate files
  • Take screenshots of the user environment
  • Drive enumeration 
  • Persistence via scheduled task 

The enumerated data is sent to the C2, awaiting further commands.


Technical Impact
  • Persistence in the infected system.
  • This malware can create, edit, or delete any file in the system.
  • Capable of discovering all the connected devices.
  • Expose personal data of the victims.
Business Impact
  • Compromise all devices that are connected to the infected device
  • Possibilities of business data leaks

Indicators of Compromise


  • hxxps://support-cloud[.]life/managment/cb-secure/technology.php

VHD files

  • d5d9210ef49c6780016536b0863cc50f6de03f73e70c2af46cc3cff0e2bf9353  30-1868.vhd
  • 43c65d87d690aea7c515fe84317af40b7e64b350304b0fc958a51d62826feade  30-22-243.vhd
  • d444fde5885ec1241041d04b3001be17162523d2058ab1a7f88aac50a6059bc0  No.243.CB3-EVACUATION LETTER.vhd


  • f36a0ee7f4ec23765bb28fbfa734e402042278864e246a54b8c4db6f58275662  243_BIO_SINOPHARM.exe
  • 61c2e524dcc25a59d7f2fe7eff269865a3ed14d6b40e4fea33b3cd3f58c14f19  243.CB3.EVACUATION LETTER.exe
  • 6449d0cb1396d6feba7fb9e25fb20e9a0a5ef3e8623332844458d73057cf04a1  30-1868 20.10.2020.exe


  • Users should practice cyber hygiene
  • Keep the system up to date 
  • Update EDR with the latest signature
  • Deploy effective IDPS in the network
  • Disable file and printer sharing services
  • Use of complex passwords and periodic password rotation
  • Proper account and privilege audits
No items found.