Threat Intelligence, Malware, Phishing

Sofacy rolls our Zebrocy toolkit to hit government targets

The Russian APT cybergang Sofacy has rolled out a new campaign based on a seldom used attack tool called Zebrocy and is using it to target government, diplomatic and other strategic organizations primarily in North America and Europe.

The group has been tracked and analyzed by PaloAlto's Unit 42, which has found Sofacy using phishing attacks with emails containing malicious Microsoft Office documents with macros or other executable attachments to deliver Zebrocy. Zebrocy, a downloader and backdoor malware, has long been associated with Sofacy and its partner groups Sednit and APT28. The last time Sofacy was on the move was in March when it was attacking European targets with the Adobe Flash-based exploit platform DealersChoice.

Since then Sofacy has altered its attack plan and is now using Zebrocy to try and infiltrate as many end points inside the target as possible with no rhyme or reason behind who is targeted.

“This is a stark contrast with other attacks commonly associated with the Sofacy group where generally no more than a handful of victims are targeted within a single organization in a focus-fire style of attack,” the report stated.

Versions of Zebrocy made in Delphi, AutoIt, and C++ have been spotted in the wild.

The letters used in the phishing emails are on very general topics, one shared by Unit 42 purported to be from the Uzbekistan government on the “implementation of the 2030 agenda for sustainable development”. It then asks the recipient to circulate the letter as a document of the General Assembly. It was signed by Bakhtiyor Ibragimov who is the ambassador, permanent representative of Uzbekistan to the United Nations.

These letters have been seen delivering both Zebrocy along with the Dynamic Data Exchange (DDE) exploit technique that was exposed by McAfee in November 2017. The DDE attack, in this case, was used by Sofacy to deliver an open-source penetration testing toolkit called Koadic, which is the first time the group used this particular toolkit.

Unit 42 closed saying the appearance of Zebrocy in Sofacy's toolbox does not mean the group has stopped using other attack methods, but is carrying out parallel campaigns using its older tools and methodologies.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.