A Journey to Zebrocy Land (May 22, 2019)
ESET researchers have published a report discussing the use of the “Zebrocy” backdoor that is used by the Russian Advanced Persistent Threat (APT) group “APT28.” The researchers analyzed Zebrocy, which APT28 has increasingly used since August 2018, to identify what commands the malware is capable of conducting to learn what data types may be of most interest to the group. Zebrocy was observed being used not only to steal credentials from numerous email providers and web browsers, but also was found being used to deploy another custom backdoor using the command “CME_Execute” onto target machines deemed more important than others. Interestingly, researchers do not know what this backdoor is being used for as of this writing.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.