Zebrocy
Associated Software Descriptions |
|
Name | Description |
---|---|
Zekapab | (Citation: CyberScoop APT28 Nov 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Zebrocy uses HTTP for C2.(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018) |
.003 | Application Layer Protocol: Mail Protocols |
Zebrocy uses SMTP and POP3 for C2.(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: ESET Zebrocy May 2019) |
||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Zebrocy creates an entry in a Registry Run key for the malware to execute on startup.(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018) |
Enterprise | T1037 | .001 | Boot or Logon Initialization Scripts: Logon Script (Windows) |
Zebrocy performs persistence with a logon script via adding to the Registry key |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Zebrocy uses cmd.exe to execute commands on the system.(Citation: ESET Zebrocy May 2019)(Citation: CISA Zebrocy Oct 2020) |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Zebrocy has the capability to upload dumper tools that extract credentials from web browsers and store them in database files.(Citation: ESET Zebrocy May 2019) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Zebrocy has used URL/Percent Encoding on data exfiltrated via HTTP POST requests.(Citation: Accenture SNAKEMACKEREL Nov 2018) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Zebrocy stores all collected information in a single file before exfiltration.(Citation: ESET Zebrocy Nov 2018) |
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Zebrocy uses SSL and AES ECB for encrypting C2 communications.(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: CISA Zebrocy Oct 2020) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Zebrocy has a command to delete files and directories.(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: CISA Zebrocy Oct 2020) |
Enterprise | T1056 | .004 | Input Capture: Credential API Hooking |
Zebrocy installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method.(Citation: Securelist Sofacy Feb 2018) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Zebrocy's Delphi variant was packed with UPX.(Citation: Unit42 Sofacy Dec 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Zebrocy has a command to create a scheduled task for persistence.(Citation: CISA Zebrocy Oct 2020) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0007 | APT28 |
(Citation: Palo Alto Sofacy 06-2018) (Citation: Unit42 Cannon Nov 2018) (Citation: Securelist Sofacy Feb 2018) (Citation: Unit42 Sofacy Dec 2018) (Citation: ESET Zebrocy May 2019) |
References
- ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
- Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
- Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
- Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
- CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
- Shoorbajee, Z. (2018, November 29). Accenture: Russian hackers using Brexit talks to disguise phishing lures. Retrieved July 16, 2019.
- Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
- ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
- Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.