S0251 Zebrocy
Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. 1234
| Item | Value |
|---|---|
| ID | S0251 |
| Associated Names | Zekapab |
| Type | MALWARE |
| Version | 3.0 |
| Created | 17 October 2018 |
| Last Modified | 23 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Zekapab | 56 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Zebrocy uses HTTP for C2.128376 |
| enterprise | T1071.003 | Mail Protocols | Zebrocy uses SMTP and POP3 for C2.128376 |
| enterprise | T1560 | Archive Collected Data | Zebrocy has used a method similar to RC4 as well as AES for encryption and hexadecimal for encoding data before exfiltration. 984 |
| enterprise | T1119 | Automated Collection | Zebrocy scans the system and automatically collects files with the following extensions: .doc, .docx, ,.xls, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .jpeg, .bmp, .tiff, .kum, .tlg, .sbx, .cr, .hse, .hsf, and .lhz.87 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Zebrocy creates an entry in a Registry Run key for the malware to execute on startup.876 |
| enterprise | T1037 | Boot or Logon Initialization Scripts | - |
| enterprise | T1037.001 | Logon Script (Windows) | Zebrocy performs persistence with a logon script via adding to the Registry key HKCU\Environment\UserInitMprLogonScript.8 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Zebrocy uses cmd.exe to execute commands on the system.74 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Zebrocy has the capability to upload dumper tools that extract credentials from web browsers and store them in database files.7 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Zebrocy has used URL/Percent Encoding on data exfiltrated via HTTP POST requests.6 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Zebrocy stores all collected information in a single file before exfiltration.8 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Zebrocy decodes its secondary payload and writes it to the victim’s machine. Zebrocy also uses AES and XOR to decrypt strings and payloads.28 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Zebrocy uses SSL and AES ECB for encrypting C2 communications.874 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Zebrocy has exfiltrated data to the designated C2 server using HTTP POST requests.64 |
| enterprise | T1083 | File and Directory Discovery | Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the echo %APPDATA% command to list the contents of the directory.987 Zebrocy can obtain the current execution path as well as perform drive enumeration.64 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Zebrocy has a command to delete files and directories.874 |
| enterprise | T1105 | Ingress Tool Transfer | Zebrocy obtains additional code to execute on the victim’s machine, including the downloading of a secondary payload.1276 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.004 | Credential API Hooking | Zebrocy installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method.9 |
| enterprise | T1135 | Network Share Discovery | Zebrocy identifies network drives when they are added to victim systems.9 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | Zebrocy‘s Delphi variant was packed with UPX.36 |
| enterprise | T1120 | Peripheral Device Discovery | Zebrocy enumerates information about connected storage devices.2 |
| enterprise | T1057 | Process Discovery | Zebrocy uses the tasklist and wmic process get Capture, ExecutablePath commands to gather the processes running on the system.28376 |
| enterprise | T1012 | Query Registry | Zebrocy executes the reg query command to obtain information in the Registry.7 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Zebrocy has a command to create a scheduled task for persistence.4 |
| enterprise | T1113 | Screen Capture | A variant of Zebrocy captures screenshots of the victim’s machine in JPEG and BMP format.283764 |
| enterprise | T1082 | System Information Discovery | Zebrocy collects the OS version, computer name and serial number for the storage volume C:. Zebrocy also runs the systeminfo command to gather system information. 1283764 |
| enterprise | T1016 | System Network Configuration Discovery | Zebrocy runs the ipconfig /all command.7 |
| enterprise | T1049 | System Network Connections Discovery | Zebrocy uses netstat -aon to gather network connection information.7 |
| enterprise | T1033 | System Owner/User Discovery | Zebrocy gets the username from the system.84 |
| enterprise | T1124 | System Time Discovery | Zebrocy gathers the current time zone and date information from the system.84 |
| enterprise | T1047 | Windows Management Instrumentation | One variant of Zebrocy uses WMI queries to gather information.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 12937 |
References
-
Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. ↩↩↩↩↩↩
-
Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. ↩↩↩↩↩↩↩↩↩↩
-
Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019. ↩↩↩↩↩↩↩↩↩
-
CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Shoorbajee, Z. (2018, November 29). Accenture: Russian hackers using Brexit talks to disguise phishing lures. Retrieved July 16, 2019. ↩
-
Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩
-
ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. ↩↩↩↩↩