Sofacy Creates New ‘Go' Variant of Zebrocy Tool


Sofacy Creates New ‘Go' Variant of Zebrocy Tool (Dec 18, 2018)

Researchers from Palo Alto discovered Advanced Persistent Threat (APT) group, "Sofacy" (also known as APT28, FancyBear, Sednit, and STRONTIUM) to be utilizing a new version of the trojan "Zebrocy." This new version of the Zebrocy trojan is written in the language "Go" likely to differentiate the structure of the trojan to deflect detection. Sofacy was seen to have conducted two different spear phishing campaigns to install this version of Zebrocy. The first campaign was initiated on October 11, 2018 and the spear phishing emails contained themes surrounding the repercussions of recent US sanctions on Russia with an LNK shortcut attachment. The LNK attachment was supposed to run a series of PowerShell scripts to then execute a payload, but the PowerShell scripts were coded incorrectly so the first campaign was unsuccessful. A second email campaign followed from mid-October 2018 until mid-November 2018. This email contained a Word document that requested content to be enabled to view properly. If it was enabled, the Go version of Zebrocy would be installed which allowed the APT group to screenshot the system, gather system-specific information using a legitimate GitHub library, and send all that information to a specified Command and Control (C2) server via an HTTP POST request.

Recommendation: Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic, as well as connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments or clicking on links in emails, particularly from unknown senders. Any attachment that requests macros be enabled is often indicative of phishing and should not be allowed unless explicitly told to do so by a trusted authority.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.