Zebrocy is Russian speaking APT that presents a strange set of stripes. To keep things simple, there are three things to know about Zebrocy
Zebrocy is an active sub-group of victim profiling and access specialists
Zebrocy maintains a lineage back through 2013, sharing malware artefacts and similarities with BlackEnergy
The past five years of Zebrocy infrastructure, malware set, and targeting have similarities and overlaps with both the Sofacy and BlackEnergy APTs, yet throughout that time it has remained different from both of those groups
We originally described a rare “Zebrocy Delphi payload” in late 2015 private reports. That malware set, activity, and infrastructure has greatly expanded. Its malware set has been coded in a half dozen languages or so. Related activity has gone on for years, spearphished hundreds of government, foreign affairs related, and military related targets, and initially was regarded as a Sofacy subset.
Essentially, in our SAS2019 presentation “Zebrocy’s Multilanguage Malware Salad”, we publicly provided for the first time original insights on Zebrocy and its characteristics, based on five years of research and private reports on this group:
Game is on – a small new Zebrocy spearphish wave with a new Golang downloader variant was sent out the week before SAS2019
Consistent profiling and process enumeration reporting behavior has been redeveloped and redeployed in Zebrocy backdoors across five+ years
Multiple bespoke second stage implants perform credential harvesting based on stage one process enumeration
Copy-and-paste coding tendencies
Complex overlaps with Sofacy and BlackEnergy/GreyEnergy over five years, suggesting a supportive role as a sub-group
Initial malware development and deployment lineage with BlackEnergy stretches back to 2013
While Zebrocy has never presented 0day exploits, this group’s lineage comes from not-so-humble BlackEnergy and Sofacy beg ..
Support the originator by clicking the read the rest link below.
