30 C
Jaipur
Tuesday, October 20, 2020

Fancy Bear APT Hackers Owned Zebrocy Malware Opens Backdoor

Must read

5G network: Verizon signs up Microsoft, Nokia to help clients build private 5G networks – Latest News

Verizon said it has struck deals with Microsoft and Nokia to improve the telecoms giant's ability to target business customers by offering clients the...

Some Apple Watch SE users are complaining of burning sensation on wrist due to overheating

Some Apple Watch SE users are complaining of overheating issues that are damaging the display of the newly launched watch. Reports of...

Trisquel GNU/Linux 9.0 “Etiona” Released: A 100% Free Operating System

Trisquel GNU/Linux is one of the few operating systems endorsed and listed under “Free GNU/Linux Distributions” by the Free Software Foundation. This is because...

Raspberry Pi Compute Module 4 With New Form Factor Announced For $25

In a surprise move, Raspberry Pi Foundation has announced a new addition to its family of single board computers – Raspberry Pi Compute Module...

Cybercriminals from Sednit group, also known as Fancy Bear, APT28, Sofacy launching new Zebrocy Malware that indented to open backdoor on the targeted machine to gain the remote access.

The sednit hacking group operates since 2004, the threat operators from this group employed a verity of hacking tools to perform its espionage operations.

Researchers from ESET believes that the Sednit group unleashed new components that target victims in various countries in the Middle East and Central Asia in 2015. Since then, the number and diversity of components have increased drastically.

Unlike other malware, Threat actors from Sednit group launched a spearphishing email campaign along with shortening URL using Bitly to delivery the first stage of malware, which is pretty unusual.

Credits :ESET

Based on ESET telemetry data, the URL is being delivered through the spearphishing Email, and the link is IP based which holding the archive payload in background.

Zebrocy Malware infection Process

Archived payload contains two files, in which, the first file indicate the malicious executable and the second file holding the weaponized PDF file.

Once the victims click the file, the binary will be executed, and it promotes the user to enter the password; eventually, PDF will open after the validation attempt.

PDF documents appeared to be empty, but the downloader start its malicious process in the background which is written in Delphi, and this first stage of the downloader will download another new downloader and execute it.

According to ESET, Once again this downloader is as straightforward as the Zebrocy gang’s other downloaders. It creates an ID and it downloads a new, interesting backdoor, (this time) written in Delphi.”

Later this backdoor will reside in the resource session and is split into four different hex-encoded, encrypted blobs.

Once the backdoor takes the system control, it sends necessary information about its newly compromised system. Later the operators take control of the backdoor and start to send commands right away.

There are some of the first set of commands that utilize the information about the victim’s computer and environment.

Commands Arguments
SCREENSHOT None
SYS_INFO None
GET_NETWORK None
SCAN_ALL None

“The commands above are commonly executed when the operators first connect to a newly activated backdoor. They don’t have any arguments, and they are quite self-explanatory. Other commands commonly seen executed shortly after these backdoors are activated”, listed below:

Commands Arguments
REG_GET_KEYS_VALUES HKEY_CURRENT_USER
SoftwareMicrosoftWindowsCurrentVersion
DOWNLOAD_DAY(30) c:*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg;*.jpeg; *.bmp;*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*

d:*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg;*.

DOWNLOAD_DAY(1) c:*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg*

d:*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg*

CMD_EXECUTE echo %APPDATA%
ipconfig /all
netstat -aon
CMD_EXECUTE wmic process get Caption,ExecutablePath
reg query
“HKCUSoftwareMicrosoftWindowsCurrentVersionRun” /s

The interesting part is that the threat actors also deploy the custom backdoor on the victim’s machine, and they use COM object hijacking to make the malware persistent on the system.

But unfortunately, researchers are unclear what was the purpose of this custom backdoor and also it is living a short time in the system. Later threat actors quickly remove it once they complete the task.

You can Download Free E-book to learn about complete Enterprise Security Implementation & Mitigation Steps – Download Free-Ebook Here.

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

5G network: Verizon signs up Microsoft, Nokia to help clients build private 5G networks – Latest News

Verizon said it has struck deals with Microsoft and Nokia to improve the telecoms giant's ability to target business customers by offering clients the...

Some Apple Watch SE users are complaining of burning sensation on wrist due to overheating

Some Apple Watch SE users are complaining of overheating issues that are damaging the display of the newly launched watch. Reports of...

Trisquel GNU/Linux 9.0 “Etiona” Released: A 100% Free Operating System

Trisquel GNU/Linux is one of the few operating systems endorsed and listed under “Free GNU/Linux Distributions” by the Free Software Foundation. This is because...

Raspberry Pi Compute Module 4 With New Form Factor Announced For $25

In a surprise move, Raspberry Pi Foundation has announced a new addition to its family of single board computers – Raspberry Pi Compute Module...

amazon app quiz: Amazon app quiz October 20, 2020: Get answers to these questions and win Echo smart speaker for free

Amazon app quiz is live now. As part of today’s quiz, the e-tailer is giving the participants a chance to win Amazon...