A recently observed campaign from the Zebrocy APT operators relied on a revamped backdoor to maintain access to victim hosts and extract profiling information.

The backdoor comes with previously seen capabilities but the operators used a Golang-based version instead of the variant written in Delphi, which security researchers were familiar with.

Zebrocy is a toolkit of downloaders, droppers, and backdoors, that is associated with the Russian-speaking advanced threat group Sednit; the hackers are also known by the names APT28, Fancy Bear, Sofacy, Group 74, and STRONTIUM and run cyber-espionage operations.

Dropbox used to host malicious document template

After a period of relative silence, researchers from multiple security companies saw Zebrocy operators resume activity on August 20.

Victimology remained the same, as the group continued to target embassies and Ministries of Foreign Affairs in Eastern European and Central Asian countries.

Zebrocy's latest operation was blown on August 22, when their spear-phishing email was uploaded to the VirusTotal antivirus scanning platform.

The attack vector was analyzed in a blog post on August 29 by security researchers from Telsy's threat hunting division (Threat Recon Team - TRT).

The document attached to the spear-phishing message is blank but includes a reference to a remote payload that comes with malicious routines.

An eyebrow-raiser for this campaign is the use of Dropbox to host the malicious template - wordData.dotm - containing malicious macros that are executed upon opening the empty document.

Security researchers from ESET dug deeper into Zebrocy's convoluted attack chain and discovered that some of the tools used in the past have been refreshed. They agree that using the Dropbox service is ann unusual approach for this group.

Old backdoor, now in Golang

The researchers found that the compromise activity was "quite loud," with the threat actor dropping at least six malicious components before running the final payload. This approach is highly likely to trigger alerts from a security product.

One of the downloaders Zebrocy used for this compromise is an older acquaintance of security researchers, who saw it in past operations execute other pieces of malware: a file dumper and the group's regular backdoor written in Delphi.

This time, though, the same downloader retrieved and deployed a new backdoor, similar to the Delphi-based one but written in Golang. ESET believes this is the first time this new malware piece has been seen.

"An AES algorithm, hex encoding, and screenshot capabilities are the main entries that were added." - ESET

The Delphi-written backdoor could also take screenshots but the new one uses the PNG format instead of JPG image file types, which normally are smaller.

As far as its capabilities are concerned, the new backdoor does not differ much from its previous version:

• file manipulation such as creation, modification, and deletion

• screenshot capabilities

• drive enumeration

• command execution (via cmd.exe)

• schedule a task under the following name Windows\Software\OSDebug (which the operators could use to set persistence manually)

There is a small set of commands available, although arbitrary instructions can be executed via Command Prompt; this allows the adversary to use the malware to collect information from the system and establish persistence on the victim host.

"The network protocol shares some similarities with the Delphi version of the backdoor. The first interaction with the C&C server retrieves an AES 32-bit key to encrypt future communications." - ESET

Although new functionality in the latest Zebrocy arsenal is missing, switching to other languages for their malware seems to be an effort to evade detection while maintaining the regular tactics, techniques and procedures.