Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Zebrocy

Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. (Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: CISA Zebrocy Oct 2020)
ID: S0251
Associated Software: Zekapab
Type: MALWARE
Platforms: Windows
Version: 3.0
Created: 17 Oct 2018
Last Modified: 23 Apr 2021

Associated Software Descriptions

Name Description
Zekapab (Citation: CyberScoop APT28 Nov 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Zebrocy uses HTTP for C2.(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018)

.003 Application Layer Protocol: Mail Protocols

Zebrocy uses SMTP and POP3 for C2.(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: ESET Zebrocy May 2019)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Zebrocy creates an entry in a Registry Run key for the malware to execute on startup.(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018)

Enterprise T1037 .001 Boot or Logon Initialization Scripts: Logon Script (Windows)

Zebrocy performs persistence with a logon script via adding to the Registry key HKCU\Environment\UserInitMprLogonScript.(Citation: ESET Zebrocy Nov 2018)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Zebrocy uses cmd.exe to execute commands on the system.(Citation: ESET Zebrocy May 2019)(Citation: CISA Zebrocy Oct 2020)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Zebrocy has the capability to upload dumper tools that extract credentials from web browsers and store them in database files.(Citation: ESET Zebrocy May 2019)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Zebrocy has used URL/Percent Encoding on data exfiltrated via HTTP POST requests.(Citation: Accenture SNAKEMACKEREL Nov 2018)

Enterprise T1074 .001 Data Staged: Local Data Staging

Zebrocy stores all collected information in a single file before exfiltration.(Citation: ESET Zebrocy Nov 2018)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Zebrocy uses SSL and AES ECB for encrypting C2 communications.(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: CISA Zebrocy Oct 2020)

Enterprise T1070 .004 Indicator Removal: File Deletion

Zebrocy has a command to delete files and directories.(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: CISA Zebrocy Oct 2020)

Enterprise T1056 .004 Input Capture: Credential API Hooking

Zebrocy installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method.(Citation: Securelist Sofacy Feb 2018)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Zebrocy's Delphi variant was packed with UPX.(Citation: Unit42 Sofacy Dec 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Zebrocy has a command to create a scheduled task for persistence.(Citation: CISA Zebrocy Oct 2020)

Groups That Use This Software

ID Name References
G0007 APT28

(Citation: Palo Alto Sofacy 06-2018) (Citation: Unit42 Cannon Nov 2018) (Citation: Securelist Sofacy Feb 2018) (Citation: Unit42 Sofacy Dec 2018) (Citation: ESET Zebrocy May 2019)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.