Skip to content

S0251 Zebrocy

Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. 1234

Item Value
ID S0251
Associated Names Zekapab
Version 3.0
Created 17 October 2018
Last Modified 23 April 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Zekapab 56

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Zebrocy uses HTTP for C2.127386
enterprise T1071.003 Mail Protocols Zebrocy uses SMTP and POP3 for C2.127386
enterprise T1560 Archive Collected Data Zebrocy has used a method similar to RC4 as well as AES for encryption and hexadecimal for encoding data before exfiltration. 974
enterprise T1119 Automated Collection Zebrocy scans the system and automatically collects files with the following extensions: .doc, .docx, ,.xls, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .jpeg, .bmp, .tiff, .kum, .tlg, .sbx, .cr, .hse, .hsf, and .lhz.78
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Zebrocy creates an entry in a Registry Run key for the malware to execute on startup.786
enterprise T1037 Boot or Logon Initialization Scripts -
enterprise T1037.001 Logon Script (Windows) Zebrocy performs persistence with a logon script via adding to the Registry key HKCU\Environment\UserInitMprLogonScript.7
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Zebrocy uses cmd.exe to execute commands on the system.84
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Zebrocy has the capability to upload dumper tools that extract credentials from web browsers and store them in database files.8
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Zebrocy has used URL/Percent Encoding on data exfiltrated via HTTP POST requests.6
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Zebrocy stores all collected information in a single file before exfiltration.7
enterprise T1140 Deobfuscate/Decode Files or Information Zebrocy decodes its secondary payload and writes it to the victim’s machine. Zebrocy also uses AES and XOR to decrypt strings and payloads.27
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Zebrocy uses SSL and AES ECB for encrypting C2 communications.784
enterprise T1041 Exfiltration Over C2 Channel Zebrocy has exfiltrated data to the designated C2 server using HTTP POST requests.64
enterprise T1083 File and Directory Discovery Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the echo %APPDATA% command to list the contents of the directory.978 Zebrocy can obtain the current execution path as well as perform drive enumeration.64
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Zebrocy has a command to delete files and directories.784
enterprise T1105 Ingress Tool Transfer Zebrocy obtains additional code to execute on the victim’s machine, including the downloading of a secondary payload.1286
enterprise T1056 Input Capture -
enterprise T1056.004 Credential API Hooking Zebrocy installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method.9
enterprise T1135 Network Share Discovery Zebrocy identifies network drives when they are added to victim systems.9
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Zebrocy‘s Delphi variant was packed with UPX.36
enterprise T1120 Peripheral Device Discovery Zebrocy enumerates information about connected storage devices.2
enterprise T1057 Process Discovery Zebrocy uses the tasklist and wmic process get Capture, ExecutablePath commands to gather the processes running on the system.27386
enterprise T1012 Query Registry Zebrocy executes the reg query command to obtain information in the Registry.8
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Zebrocy has a command to create a scheduled task for persistence.4
enterprise T1113 Screen Capture A variant of Zebrocy captures screenshots of the victim’s machine in JPEG and BMP format.273864
enterprise T1082 System Information Discovery Zebrocy collects the OS version, computer name and serial number for the storage volume C:. Zebrocy also runs the systeminfo command to gather system information. 1273864
enterprise T1016 System Network Configuration Discovery Zebrocy runs the ipconfig /all command.8
enterprise T1049 System Network Connections Discovery Zebrocy uses netstat -aon to gather network connection information.8
enterprise T1033 System Owner/User Discovery Zebrocy gets the username from the system.74
enterprise T1124 System Time Discovery Zebrocy gathers the current time zone and date information from the system.74
enterprise T1047 Windows Management Instrumentation One variant of Zebrocy uses WMI queries to gather information.3

Groups That Use This Software

ID Name References
G0007 APT28 12938


Back to top