1. Home
  2. Software
  3. Zebrocy

Zebrocy

Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. [1][2][3][4]

ID: S0251
Associated Software: Zekapab
Type: MALWARE
Platforms: Windows
Contributors: Emily Ratliff, IBM
Version: 3.0
Created: 17 October 2018
Last Modified: 23 April 2021

Associated Software Descriptions

Name Description
Zekapab

[5][6]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

One variant of Zebrocy uses WMI queries to gather information.[3]
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

Zebrocy has the capability to upload dumper tools that extract credentials from web browsers and store them in database files.[7]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

Zebrocy uses SSL and AES ECB for encrypting C2 communications.[8][7][4]

Enterprise T1140 反混淆/解码文件或信息

Zebrocy decodes its secondary payload and writes it to the victim’s machine. Zebrocy also uses AES and XOR to decrypt strings and payloads.[2][8]
Enterprise T1037 .001 启动或登录初始化脚本: Logon Script (Windows)

Zebrocy performs persistence with a logon script via adding to the Registry key HKCU\Environment\UserInitMprLogonScript.[8]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Zebrocy creates an entry in a Registry Run key for the malware to execute on startup.[8][7][6]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Zebrocy uses cmd.exe to execute commands on the system.[7][4]

Enterprise T1120 外围设备发现

Zebrocy enumerates information about connected storage devices.[2]
Enterprise T1113 屏幕捕获

A variant of Zebrocy captures screenshots of the victim’s machine in JPEG and BMP format.[2][8][3][7][6][4]
Enterprise T1071 .001 应用层协议: Web Protocols

Zebrocy uses HTTP for C2.[1][2][8][3][7][6]
.003 应用层协议: Mail Protocols

Zebrocy uses SMTP and POP3 for C2.[1][2][8][3][7]
Enterprise T1560 归档收集数据

Zebrocy has used a method similar to RC4 as well as AES for encryption and hexadecimal for encoding data before exfiltration. [9][8][4]

Enterprise T1074 .001 数据分段: Local Data Staging

Zebrocy stores all collected information in a single file before exfiltration.[8]
Enterprise T1132 .001 数据编码: Standard Encoding

Zebrocy has used URL/Percent Encoding on data exfiltrated via HTTP POST requests.[6]
Enterprise T1083 文件和目录发现

Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the echo %APPDATA% command to list the contents of the directory.[9][8][7] Zebrocy can obtain the current execution path as well as perform drive enumeration.[6][4]

Enterprise T1012 查询注册表

Zebrocy executes the reg query command to obtain information in the Registry.[7]
Enterprise T1027 .002 混淆文件或信息: Software Packing

Zebrocy's Delphi variant was packed with UPX.[3][6]
Enterprise T1070 .004 移除指标: File Deletion

Zebrocy has a command to delete files and directories.[8][7][4]
Enterprise T1082 系统信息发现

Zebrocy collects the OS version, computer name and serial number for the storage volume C:. Zebrocy also runs the systeminfo command to gather system information. [1][2][8][3][7][6][4]
Enterprise T1033 系统所有者/用户发现

Zebrocy gets the username from the system.[8][4]
Enterprise T1124 系统时间发现

Zebrocy gathers the current time zone and date information from the system.[8][4]
Enterprise T1049 系统网络连接发现

Zebrocy uses netstat -aon to gather network connection information.[7]
Enterprise T1016 系统网络配置发现

Zebrocy runs the ipconfig /all command.[7]
Enterprise T1135 网络共享发现

Zebrocy identifies network drives when they are added to victim systems.[9]
Enterprise T1119 自动化收集

Zebrocy scans the system and automatically collects files with the following extensions: .doc, .docx, ,.xls, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .jpeg, .bmp, .tiff, .kum, .tlg, .sbx, .cr, .hse, .hsf, and .lhz.[8][7]
Enterprise T1105 输入工具传输

Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.[1][2][7][6]
Enterprise T1056 .004 输入捕获: Credential API Hooking

Zebrocy installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method.[9]
Enterprise T1057 进程发现

Zebrocy uses the tasklist and wmic process get Capture, ExecutablePath commands to gather the processes running on the system.[2][8][3][7][6]
Enterprise T1041 通过C2信道渗出

Zebrocy has exfiltrated data to the designated C2 server using HTTP POST requests.[6][4]

Enterprise T1053 .005 预定任务/作业: Scheduled Task

Zebrocy has a command to create a scheduled task for persistence.[4]

Groups That Use This Software

ID Name References
G0007 APT28

[1][2][9][3][7]

References

  1. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  2. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  3. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  4. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
  5. Shoorbajee, Z. (2018, November 29). Accenture: Russian hackers using Brexit talks to disguise phishing lures. Retrieved July 16, 2019.
  1. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  2. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  3. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  4. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.