APT28 (also known as Fancy Bear, Sofacy, Sednit, STRONTIUM) was discovered using the malware Zebrocy as part of their new COVID-19 campaign targeting Government agencies and commercial organization of the following nations:
Afghanistan
Azerbaijan
Zimbabwe
China
Japan
Kazakhstan
Egypt
Georgia
Iran
Korea
Kyrgyzstan
Mongolia
Russia
Saudi Arabia
Serbia
Switzerland
Tajikistan
Turkey
Turkmenistan
Ukraine
Uruguay
Bosnia and Herzegovina
Zebrocy is a sub-group that helps APT groups like Sofacy with victim profiling and access. The malware that the group delivers, dubbed Zebrocy, initiates the campaign by sending out phishing emails with malicious attachments, masquerading as the latest research by Sinopharm International Corporation on COVID-19. The actors also pose as officials from Directorate General of Civil Aviation, India.
Infection
Trojanized DGCA Documents in VHD
The malicious email usually contains a Virtual Hard Disk (VHD), which can only be accessed in Windows 10. The VHD includes the following files:
PDF of Sinopharm International Corporation’s latest research on COVID-19
Word document that contains the Zebrocy malware
Trojanized Sinopharm Document in VHD
The malware launches a backdoor and a downloader. Zebrocy is armed with these functionalities :
Collect system information and send them to the C&C server.
Manipulate files
Take screenshots of the user environment
Drive enumeration
Persistence via scheduled task
The enumerated data is sent to the C2, awaiting further commands.
Impact
Technical Impact
Persistence in the infected system.
This malware can create, edit, or delete any file in the system.
Capable of discovering all the connected devices.
Expose personal data of the victims.
Business Impact
Compromise all devices that are connected to the infected device