QuoINT safety researchers have recognized a brand new Zebrocy marketing campaign concentrating on international locations related to the North Atlantic Treaty Group (NATO).
Detailed for the primary time in 2018, Zebrocy has been related to the Russia-linked state-sponsored risk actor APT28 (also called Fancy Bear, Pawn Storm, Sednit, and Strontium), which has been energetic since no less than 2007.
Whereas some safety researchers see Zebrocy as a separate adversary, others have proven connections between varied risk actors working out of Russia, together with a hyperlink between GreyEnergy and Zebrocy assaults.
The just lately noticed marketing campaign, which seemingly began on August 5, employed the Delphi model of the Zebrocy malware and a command and management (C&C) infrastructure hosted in France, QuoINT’s safety researchers reveal.
Lures employed in these assaults had a NATO-related theme, a recurring motif in APT28 campaigns — the adversary used an analogous theme in assaults in 2017. The meant sufferer within the new assaults was a particular authorities physique in Azerbaijan, however different NATO members or international locations concerned in NATO workouts might need been focused as properly.
The attackers distributed what gave the impression to be a JPEG picture that, as a substitute, turned out to be a ZIP archive concatenated to evade detection. The file drops the Zebrocy executable and a corrupted Excel file, seemingly in an try and lure the meant sufferer into executing the malware.
As soon as executed, the malware creates a scheduled job to commonly try and ship stolen information to a distant area. On machines that the C&C server seems to seek out uninteresting, the connection is terminated by the server.
“QuoINT concludes with medium-high confidence that the marketing campaign focused a particular authorities physique, no less than in Azerbaijan. Though Azerbaijan just isn’t a NATO member, it carefully cooperates with the North-Atlantic organizations and participates in NATO workouts. Additional, the identical marketing campaign very seemingly focused different NATO members or international locations cooperating with NATO workouts,” QuoINT says.
The safety researchers additionally be aware that this APT28 assault exhibits placing similarities with a ReconHellcat/ BlackWater assault uncovered final month: the compressed Zebrocy malware and the lure within the BlackWater assault had been each uploaded on August 5 by the identical consumer in Azerbaijan (extremely seemingly by the identical group), the assaults occurred concurrently, and victimology is comparable in each assaults.
Moreover, the researchers level out that APT28 beforehand focused each NATO and the Group for Safety and Co-operation in Europe (OSCE) — the ReconHellcat marketing campaign was using OSCE-themed lures — however that there’s no “robust causation hyperlink […] or stable technical hyperlink between the 2 assaults.”
“We assessed ReconHellcat as a high-capability APT group, like APT28,” QuoINT concludes.
Associated: FBI, NSA Share Particulars on New ‘Drovorub’ Linux Malware Utilized by Russia
Associated: NSA Publishes IOCs Related With Russian Focusing on of Exim Servers
Associated: Phishing Marketing campaign Focusing on Ukrainian Agency Burisma Linked to Russian Cyberspies