Russian APT28 Hackers Uses COVID-19 Lures to Deliver Zebrocy Malware via VHD File

by chebbi abir

The security firm Intezer revealed COVID-19 phishing lures that were used to deliver the Go version of Zebrocy. Zebrocy is mainly used against governments and commercial organizations engaged in foreign affairs.

The lure consisted of the document about Sinopharm International Corporation, a pharmaceutical company that COVID-19 vaccine is currently going through phase three clinical tests.

While many COVID-19 vaccines are close to being approved for clinical use, likely, APTs (Advanced Persistent Threat) and financially motivated threat actors will use this malware in their attacks.

Zebrocy Malware via VHD File

Zebrocy is a malware used by the threat group Sofacy, also referred to as Sednit, APT28, Fancy Bear, and STRONTIUM. Sofacy was one of the groups indicated by the Department of Justice (DOJ) for the compromise of the Democratic National Committee (DNC).

Zebrocy functions as a downloader and collects information about the infected host that is uploaded to the command and control (C&C) server before downloading and executing the subsequent stage.

The first version of the downloader was written in Delphi and was based on a previous malware used by Sofacy. Zebrocy samples written in AutoIT, C++, C#, Delphi, Go, and VB.NET have been discovered by the research community.

The delivery of Zebrocy is usually via a spear-phishing email. The email includes Microsoft Office documents or archive files.

Technical Analysis

Intezer discovered a Virtual Hard Drive (VHD) file named 30-22-243.vhd that was uploaded from Azerbaijan to VirusTotal scanning platform. VHD is the native file format for virtual hard drives used by Microsoft’s hypervisor, Hyper-V. Windows 10 has native support for the file format and allows the user to mount the file and access its content.

If the user double-clicks on the file, Windows will mount the drive and it appears as an external hard drive (as shown in figure 2).

Content of the VHD file

It contains two files: A PDF file and an executable that is hidden as a Microsoft Word document. The researchers observed the PDF file consists of presentation slides about Sinopharm International Corporation.


“The threat group behind Zebrocy is using COVID-19-themed related lures when many vaccines are about to get approved for use. The group is known to use current events as part of their phishing lures”, says the Intezer report.

Intezer’s security researchers discovered another Go version of Zebrocy, used in previous attacks, as well as a second VHD file that was uploaded to VirusTotal in October, and which was dropping the Delphi version of the malware. The PDF lure in this file was written in Russian.

Final Word

“With these recent phishing lures, it’s clear that COVID-19 themed attacks are still a threat and we might see more as vaccines become available to the general public. Companies must use defense-in-depth strategies to protect against threats. Employers should also ensure employees are trained on detecting and reacting to phishing attempts,” Intezer concludes.

To read  the original article:


Interdit de copier  ce contenu