Cybersecurity researchers have announced that Zebrocy malware, which is considered to be part of the infamous APT28/Fancy Bear Russian cyber-espionage toolset, has been compromised systems and have spread across networks all over the world in the past months.
For those who don’t know the Russian cyber-espionage group, we will present for you a short history of the group. APT28/Fancy Bear is one of the original Russian cyber-operations groups tracked by security firms and government intelligence. Known also as Sofacy or STRONTIUM, the group has actively developed its toolbox of hacking programs. They have been blamed for cyber attacks on the nation of Georgia prior to Russia’s 2008 invasion and for stealing e-mail and data from the US Democratic National Committee prior to the 2016 presidential election. In 2018 it was discovered that the APT28 group had successfully deployed a Unified Extensible Firmware Interface (UEFI) rootkit, dubbed LoJax, which infects the basic hardware operating system and can survive to reboot the system.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
Now it was observed that the initial Zebrocy infection started via spearphishing attacks and subsequent commands, cybersecurity researchers say.
Zebrocy continues to maintain a higher level of volume attacking local and remote ex-USSR republic Central Asian targets. Meanwhile, another cybersecurity report highlights the rapidity with which the group behind Zebrocy has innovated with its tools and techniques.
The cyber-espionage group has mainly targeted embassies, ministries, and diplomats in Azerbaijan, Bosnia, and Herzegovina, Egypt, Georgia, Iran, Kazakhstan, Korea, Kyrgyzstan, Russia, Saudi Arabia, Serbia, Switzerland, Tajikistan, Turkey, Turkmenistan, Ukraine, Uruguay, and Zimbabwe, according to ESET.
Malware modus operandi:
Zebrocy is formed from two downloaders, one written in the Delphi scripting language and another in the AutoIt scripting language. Only one of the two downloaders need to run to install a backdoor—the third Zebrocy component—onto a targeted system.
Once the infection occurs, the hackers would quickly perform reconnaissance on the system and gather operating system and file information, as well as other details about the system; because the commands issued after the initial installation are the same and executed very quickly, they might suggest that they are automated without needing any human interaction. This malware is made for gathering a considerable amount of information on the compromised target.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.