Zebrocy Trojan morphs into new variant

Some time ago, the InfoSec community came into contact with the Zebrocy Trojan. The virus became linked with the Russian-based Sofacy threat group, which has many alternative names and many attacks attributed to these names. As research from Unit 42 stated when Zebrocy first emerged, the Trojan has been used to primarily target governmental organizations in North America and Europe. The preferred method of spreading Zebrocy has seemed to be phishing emails with malicious macros that, once enabled, launch the Trojan’s payload. Most significant to the study of the Zebrocy Trojan is the numerous programming languages that each subsequent variant gets written in.

The newest variant, as shown in a new research post from Unit 42, that is currently being deployed is a variant written in the Go language. As of the time that Unit 42 had released their research, there had been two identifiable attacks involving this variant. These two instances are described in further detail by researchers as follows:

The first attack occurred on October 11 and relied on a spear-phishing email with an LNK shortcut attachment. The LNK shortcut is meant to run a series of PowerShell scripts to extract a payload from the shortcut to install and execute; however, the PowerShell scripts were coded incorrectly and could not install or run the payload as delivered. Therefore, the first observed attack mentioned in this blog could not be successful, but the tactics, techniques and indicators are worth discussing for situational awareness. More recently, we have seen Sofacy delivering the Go variant of Zebrocy using a document related to the Dear Joohn attack campaign that occurred in mid-October through mid-November.

So even though the first noted instance of Zebrocy attacking in its newest form failed, it did not deter the hackers and instead likely allowed for a course correction (subsequently creating a successful attack campaign). Likely the first attack was a dry run just to test the new programming language. The failures in the first attack undoubtedly created changes in the Go source code that allowed for its usage in the Dear Joohn campaign.

It is unknown at this time how effective the Go variant of Zebrocy will be, but the Dear Joohn campaign’s inclusion of the Trojan points to potential heavy usage. Sofacy has previously coded their Trojan in languages like AutoIt, Delphi, VB.NET, C#, and Visual C++, so it will likely be just a matter of time before another variant in another language is added.

Featured image: Flickr / Martijn.Munneke

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top