skip to Main Content

Cyber Espionage, APT28 targets NATO members and partners with Zebrocy

QuoIntelligence: APT28 targets NATO members and partners with Zebrocy, exploiting fake training documents as a lure

Russian APT28 is targeting government bodies of NATO members and partners with Zebrocy malware. It has been discovered by QuoIntelligence cyber security experts. The lure is a malicious file named “Course 5 – 16 October 2020.zipx”, that appears a normal compressed document containing course materials. Furthermore, the operating system shows the logo of the Supreme Headquarters Allied Powers Europe (SHAPE). This, because the file comprises a legitimate JPG image with a ZIP archive appended to it. The technique is used by the state-sponsored hackers (aka Sofacy, Sednit, Fancy Bear, STRONTIUM) to evade AVs, or other filtering systems since they might mistake the file for a JPEG and skip it. After decompressing the appended ZIP file, the following two samples are dropped: Course 5 – 16 October 2020.exe (Zebrocy malware), and Course 5 – 16 October 2020.xls (a corrupted file thatt seems cointaining info about military personnel involved in “African Union Mission for Somalia”).

How the malware infection chain works according the cyber security experts

Furthermore, according the cyber secureity experts, The .exe file has a PDF icon, so if file extensions are not shown, targeted users might be lured into opening the executable and start the Zebrocy infection chain. Once executed, the APT28 malware copies itself into %AppData%\Roaming\Service\12345678\sqlservice.exe by adding 160 random bytes to the new file. This padding is used to evade hash-matching security controls, since the dropped malware will always have a different file hash value. Next, it creates a new scheduled task, and it is executed with the /s parameter. The task runs regularly and tries to POST stolen data to hxxp://194.32.78[.]245/protect/get-upd-id[.]php. Moreover, at a first glance the data seems to be obfuscated and encrypted. QuoIntelligence concludes that the campaign targeted a specific government body, at least in Azerbaijan, that closely cooperates with NATO and participates in exercises. Furthermore, it very likely targeted other Alliance members or countries cooperating with exercises.

The Zebrocy NATO campaign has correlations with ReconHell/BlackWater attack

Zebrocy, used by APT28, is a persistent malware and a backdoor with many. They include system reconnaissance, file creation/modification, taking screenshots on the infected machine, arbitrary command execution, and creating Windows scheduled tasks. According QuoIntelligence, the NATO campaign started on 5 August and probably is still ongoing. The malicious code version exploited by the Russian state-sponsored hackers is the Delphi one, and there are correlations with ReconHell/BlackWater attack that leveraged the Beirut tragedy to spread. Not by chance, it started on 5 August, just one day after the incident in Lebanon’s capital. Both malware were uploaded the same day and by the same user in Azerbaijan. Both attacks happened in the same timeframe. OSCE and NATO are organizations that have been targeted (directly or indirectly) by APT28 in the past. The victimology identified for the ReconHellcat campaign is in line with the one targeted by the Zebrocy attack, and the type of organizations targeted by both attacks is also in line with known APT28 victimology.

Back To Top