APT28 Zebrocy’s Golang-based version has been under-detected


The hackers behind the Zebrocy have added a new chapter to their malware distribution strategy book.

Key points about the new variant of Zebrocy
Intezer’s researchers analyzed the latest version of Zebrocy and found that operator APT28 chose the Golang language over any older programming languages, such as Delphi, AutoIT, C, C, Delphi, and VB.NET.
The researchers observed a VHD file containing PDF documents and an executable file masquerading as a Microsoft Word document that actually contained Zebrocy malware.
Using VHD files to hide successfully spoofed the antivirus search engine so that it could not detect generic malware.
To distribute this version, the threat participants used PHU-19 vaccine-themed phishing baits embedded in files from The International Pharmaceutical Corporation of China.

In November, U.S. Cyber Command, together with CISA and the FBI, released two samples of Zebrocy malware used by the APT28 hacking group, describing how Zebrocy works internally.

APT28’s most recent Zebrocy campaign
At the end of September, it was revealed that the APT28 team was using upcoming NATO training to provide the Zebrocy Delphi version as a way to attract lures targeting specific government agencies in Azerbaijan.
Since at least August, Russian-speaking threat actor APT28 has been using the Delphi variant of the Zebrocy tool set for similar activities.

Bottom line.
The evolving and innovative approach to the use of VHD files by Zebrocy malware demonstrates the proficiency of threat participants in confusing and distributing techniques. In addition, the use of current topics, such as COVID-19 and its vaccines, induces victims to become a deadly threat. Therefore, experts recommend that organizations use defense-in-depth strategies to prevent such threats.