APT28 (also known as Fancy Bear, Sofacy, Sednit, STRONTIUM) was discovered using the malware Zebrocy as part of their new COVID-19 campaign targeting Government agencies and commercial organization of the following nations:
Bosnia and Herzegovina
Zebrocy is a sub-group that helps APT groups like Sofacy with victim profiling and access. The malware that the group delivers, dubbed Zebrocy, initiates the campaign by sending out phishing emails with malicious attachments, masquerading as the latest research by Sinopharm International Corporation on COVID-19. The actors also pose as officials from Directorate General of Civil Aviation, India.
The malicious email usually contains a Virtual Hard Disk (VHD), which can only be accessed in Windows 10. The VHD includes the following files:
PDF of Sinopharm International Corporation’s latest research on COVID-19
Word document that contains the Zebrocy malware
The malware launches a backdoor and a downloader. Zebrocy is armed with these functionalities :
Collect system information and send them to the C&C server.
Take screenshots of the user environment
Persistence via scheduled task
The enumerated data is sent to the C2, awaiting further commands.
Persistence in the infected system.
This malware can create, edit, or delete any file in the system.
Capable of discovering all the connected devices.
Expose personal data of the victims.
Compromise all devices that are connected to the infected device