The new Zebrocy programme targeting countries aligned with the North Atlantic Treaty Organization ( NATO) was established by QuoINT security researchers.
Detailed in 2018 for the first time, Zebrocy has been affiliated with APT28 (also known as Fancy Bear, Pawn Storm, Sednit, and Strontium), a Russia-linked state-sponsored threat actor, which has been involved since at least 2007.
Although some security analysts see Zebrocy as a distinct foe, others have seen similarities between different threat actors operating out of Russia, including a correlation between attacks by GreyEnergy and Zebrocy.
QuoINT’s security researchers announce that the recently detected programme, which presumably began on August 5, employed the Delphi version of Zebrocy malware and a command and control (C&C) infrastructure hosted in France.
The competitor used a similar theme in attacks in 2017. Lures used in these attacks had a NATO-related theme, a recurrent motivation in APT28 campaigns. A particular government agency in Azerbaijan was the intended victim in the latest attacks, but other NATO members or countries participating in NATO exercises may have been attacked as well.
The attackers circulated what appeared to be a JPEG file that turned out to be a concatenated ZIP archive to avoid detection instead. The file loses the executable Zebrocy and a compromised Excel file, presumably in an effort to draw the intended target to execute the malware.
Until performed, a programmed activity is created by the malware to periodically try to transmit stolen data to a remote domain. The relation is terminated by the server on machines that the C&C server seems to find uninteresting.
With medium-high trust, QuoINT believes that the operation targeted a single government agency, at least in Azerbaijan. While not a member of NATO, Azerbaijan cooperates closely with North Atlantic organisations and participates in NATO exercises. Furthermore, other NATO members or countries collaborating with NATO exercises were most likely hit by the same campaign,” QuoINT says.
The security researchers also mention that this APT28 attack demonstrates remarkable parallels to last month’s ReconHellcat / BlackWater attack: the compressed Zebrocy malware and the lure in the BlackWater attack were both posted by the same user in Azerbaijan on August 5 (most likely by the same organisation), the attacks occurred simultaneously, and the victimology in both attacks is identical.
In addition , the researchers point out that APT28 has previously attacked both NATO and the Organisation for Defense and Cooperation in Europe (OSCE)-the ReconHellcat programme used OSCE-themed lures-but that there is no “clear causal connexion […] or strong technological relation between the two attacks.”
“We evaluated ReconHellcat, like APT28, as a high-capacity APT community,” QuoINT concludes.