Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Zebrocy
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Zebrocy
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Zebrocy

Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. (Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: CISA Zebrocy Oct 2020)
ID: S0251
Associated Software: Zekapab
Type: MALWARE
Platforms: Windows
Version: 3.0
Created: 17 Oct 2018
Last Modified: 23 Apr 2021

Associated Software Descriptions
Name Description
Zekapab (Citation: CyberScoop APT28 Nov 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Zebrocy uses HTTP for C2.(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018)
.003 Application Layer Protocol: Mail Protocols

Zebrocy uses SMTP and POP3 for C2.(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Zebrocy creates an entry in a Registry Run key for the malware to execute on startup.(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018)
Enterprise T1037 .001 Boot or Logon Initialization Scripts: Logon Script (Windows)

Zebrocy performs persistence with a logon script via adding to the Registry key HKCU\Environment\UserInitMprLogonScript.(Citation: ESET Zebrocy Nov 2018)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Zebrocy uses cmd.exe to execute commands on the system.(Citation: ESET Zebrocy May 2019)(Citation: CISA Zebrocy Oct 2020)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Zebrocy has the capability to upload dumper tools that extract credentials from web browsers and store them in database files.(Citation: ESET Zebrocy May 2019)
Enterprise T1132 .001 Data Encoding: Standard Encoding

Zebrocy has used URL/Percent Encoding on data exfiltrated via HTTP POST requests.(Citation: Accenture SNAKEMACKEREL Nov 2018)
Enterprise T1074 .001 Data Staged: Local Data Staging

Zebrocy stores all collected information in a single file before exfiltration.(Citation: ESET Zebrocy Nov 2018)
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Zebrocy uses SSL and AES ECB for encrypting C2 communications.(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: CISA Zebrocy Oct 2020)

Enterprise T1070 .004 Indicator Removal: File Deletion

Zebrocy has a command to delete files and directories.(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: CISA Zebrocy Oct 2020)
Enterprise T1056 .004 Input Capture: Credential API Hooking

Zebrocy installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method.(Citation: Securelist Sofacy Feb 2018)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Zebrocy's Delphi variant was packed with UPX.(Citation: Unit42 Sofacy Dec 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Zebrocy has a command to create a scheduled task for persistence.(Citation: CISA Zebrocy Oct 2020)

Groups That Use This Software
ID Name References
G0007 APT28

(Citation: Palo Alto Sofacy 06-2018) (Citation: Unit42 Cannon Nov 2018) (Citation: Securelist Sofacy Feb 2018) (Citation: Unit42 Sofacy Dec 2018) (Citation: ESET Zebrocy May 2019)

References

  1. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  2. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  3. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  4. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
  5. Shoorbajee, Z. (2018, November 29). Accenture: Russian hackers using Brexit talks to disguise phishing lures. Retrieved July 16, 2019.
  6. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  7. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
  8. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  9. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.