apt28 sofacy

Zebrocy’s attack campaign against Kazakhstan

In March 2021, researchers discovered a series of attacks against Kazakhstan involving Delphocy malware written in Delphi, which was previously related to the Zebrocy group.

The Zebrocy group’s attribution is suspected to be Russia, and its targets seem to be mainly concentrated in the former Soviet Republic and, most recently, Asia.

The word document used in the attack claimed to come from a Kazakhstan company called Kazchrome, which is a mining and metals company and one of the world’s largest producers of ore and ferroalloys. The researchers found six Delphocy Word documents related to Zebrocy, all of which contained the same VBA script that released the PE file.

Word documents have password-protected macros. After bypassing, you can see that the code contains scripts and forms, where ert.DataType = “bin.base64” indicates that UserForm1 is encoded using base64.

 zebrocy

When UserForm1 is selected, the text box will display a -encoded string, and the next step is to copy the entire string into a file to decode it, and save the decoded file as wininition.exe.

 zebrocy

WinMain of wininition.exe has the SetWindowsHookExW function, which is a hook program used to monitor certain types of events in the system. The low-level keyboard input event of the hook process is WH_KEYBOARD_LL. The hook is a mechanism to intercept key events. Then save all events to a log file to send to C2.

 zebrocy

The attacker used hexadecimal that can be converted to ascii to obfuscate C2. After decoding, they found that these seem to be stolen domains.

 zebrocy

IOCs

hxxps://www.xbhp.com/dominargreatasianodyssey/wp-content/plugins/akismet/style.php
hxxps://www.c4csa.org/includes/sources/felims.php


49696043b51acca6ced2ab213bd4abef
c9a43fd6623bf0bc287012b6ee10a98e
069acbaa44a9a6f9ef5f7fb4a39805e8
9af37fd5def94ada2e693c5a0ea7b292
2157d2c3b5ba5ae6fe5052353668234e
74d01f0a1bcf7cecbd64cf3d2d2bf3fe
34194fd93d93f635e9e27e045d3e7aab
df6c6ee05898ce35ce5963ff0ae2344d
34194fd93d93f635e9e27e045d3e7aab
df6c6ee05898ce35ce5963ff0ae2344d
49696043b51acca6ced2ab213bd4abef
c9a43fd6623bf0bc287012b6ee10a98e
069acbaa44a9a6f9ef5f7fb4a39805e8
9af37fd5def94ada2e693c5a0ea7b292
2157d2c3b5ba5ae6fe5052353668234e
74d01f0a1bcf7cecbd64cf3d2d2bf3fe
fc0b7ad2ae9347d6d2ababe2947ffb9f7cc73030
71b4b9f105de94090fc36d9226faaa1db6d9f3d1
6a8f63c4491adcf2cf7f76cd1481c5647615a6c9
a3ecf1fdc1206e9d3061530fa91775cf3d97f788
ae01ca2cf0dc07abb3a7bef9930e38c9212975d5
66b39f4fd1dd51c2f548330e5818f732dad0aa28
6ec4eb883752b70db134ac0f4e0d5b4a77196184
afbdb13d8f620d0a5599cbc7a7d9ce8001ee32f1
6ec4eb883752b70db134ac0f4e0d5b4a77196184
afbdb13d8f620d0a5599cbc7a7d9ce8001ee32f1
fc0b7ad2ae9347d6d2ababe2947ffb9f7cc73030
71b4b9f105de94090fc36d9226faaa1db6d9f3d1
6a8f63c4491adcf2cf7f76cd1481c5647615a6c9
a3ecf1fdc1206e9d3061530fa91775cf3d97f788
ae01ca2cf0dc07abb3a7bef9930e38c9212975d5
66b39f4fd1dd51c2f548330e5818f732dad0aa28
3b548a851fb889d3cc84243eb8ce9cbf8a857c7d725a24408934c0d8342d5811
1dd03c4ea4d630a59f73e053d705185e27e2e2545dd9caedb26a824ac5d11466
1e8261104cbe4e09c19af7910f83e9545fd435483f24f60ec70c3186b98603cc
c213b60a63da80f960e7a7344f478eb1b72cee89fd0145361a088478c51b2c0e
2bf088955007b4f47fe9187affe65fffea234ff16596313a74958a7c85129172
d9e7325f266eda94bfa8b8938de7b7957734041a055b49b94af0627bd119c51c
a442135c04dd2c9cbf26b2a85264d31a5ac4ec5d2069a7b63bc14b64a6dd82b7
ee7cfc55a49b2e9825a393a94b0baad18ef5bfced67531382e572ef8a9ecda4b
a442135c04dd2c9cbf26b2a85264d31a5ac4ec5d2069a7b63bc14b64a6dd82b7
ee7cfc55a49b2e9825a393a94b0baad18ef5bfced67531382e572ef8a9ecda4b
3b548a851fb889d3cc84243eb8ce9cbf8a857c7d725a24408934c0d8342d5811
1dd03c4ea4d630a59f73e053d705185e27e2e2545dd9caedb26a824ac5d11466
1e8261104cbe4e09c19af7910f83e9545fd435483f24f60ec70c3186b98603cc
c213b60a63da80f960e7a7344f478eb1b72cee89fd0145361a088478c51b2c0e
2bf088955007b4f47fe9187affe65fffea234ff16596313a74958a7c85129172
d9e7325f266eda94bfa8b8938de7b7957734041a055b49b94af0627bd119c51c