SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zebrocy (Back to overview)

Zebrocy

aka: Zekapab

Actor(s): Sofacy


There is no description at this point.

References
2021-02-25IntezerIntezer
@techreport{intezer:20210225:year:eb47cd1, author = {Intezer}, title = {{Year of the Gopher A 2020 Go Malware Round-Up}}, date = {2021-02-25}, institution = {Intezer}, url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf}, language = {English}, urldate = {2021-02-25} } Year of the Gopher A 2020 Go Malware Round-Up
WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim Ransomware NjRAT Quasar RAT WellMess Zebrocy
2020-12-09IntezerJoakim Kennedy
@online{kennedy:20201209:zebra:1c73168, author = {Joakim Kennedy}, title = {{A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy}}, date = {2020-12-09}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/}, language = {English}, urldate = {2020-12-10} } A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy
Zebrocy
2020-10-29US-CERTUS-CERT
@online{uscert:20201029:malware:8122496, author = {US-CERT}, title = {{Malware Analysis Report (AR20-303B): ZEBROCY Backdoor}}, date = {2020-10-29}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b}, language = {English}, urldate = {2020-11-02} } Malware Analysis Report (AR20-303B): ZEBROCY Backdoor
Zebrocy
2020-10-23360360 Threat Intelligence Center
@online{center:20201023:apt28:099c6cd, author = {360 Threat Intelligence Center}, title = {{APT28携小众压缩包诱饵对北约、中亚目标的定向攻击分析}}, date = {2020-10-23}, organization = {360}, url = {https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g}, language = {Chinese}, urldate = {2020-10-26} } APT28携小众压缩包诱饵对北约、中亚目标的定向攻击分析
Zebrocy
2020-09-22Bleeping ComputerAx Sharma
@online{sharma:20200922:russian:c3158b2, author = {Ax Sharma}, title = {{Russian hackers use fake NATO training docs to breach govt networks}}, date = {2020-09-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/}, language = {English}, urldate = {2020-09-24} } Russian hackers use fake NATO training docs to breach govt networks
Zebrocy Sofacy
2020-09-22QuoScientQuoIntelligence
@online{quointelligence:20200922:apt28:9bfda0c, author = {QuoIntelligence}, title = {{APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure}}, date = {2020-09-22}, organization = {QuoScient}, url = {https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/}, language = {English}, urldate = {2020-09-23} } APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure
Zebrocy Sofacy
2020-07-01360360 Threat Intelligence Center
@online{center:20200701::fc5fdee, author = {360 Threat Intelligence Center}, title = {{游走在东欧和中亚的奇幻熊}}, date = {2020-07-01}, organization = {360}, url = {https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og}, language = {Chinese}, urldate = {2020-10-26} } 游走在东欧和中亚的奇幻熊
Zebrocy
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:iron:48c68a0, author = {SecureWorks}, title = {{IRON TWILIGHT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-twilight}, language = {English}, urldate = {2020-05-23} } IRON TWILIGHT
X-Agent X-Agent X-Agent Computrace HideDRV Sedreco Seduploader X-Agent XTunnel Zebrocy Zebrocy (AutoIT)
2019-10-24MeltX0R SecurityMeltX0R
@online{meltx0r:20191024:10242019:6438b53, author = {MeltX0R}, title = {{10/24/2019 - APT28: Targeted attacks against mining corporations in Kazakhstan}}, date = {2019-10-24}, organization = {MeltX0R Security}, url = {https://meltx0r.github.io/tech/2019/10/24/apt28.html}, language = {English}, urldate = {2020-01-07} } 10/24/2019 - APT28: Targeted attacks against mining corporations in Kazakhstan
Zebrocy
2019-09-24ESET ResearchESET Research
@online{research:20190924:no:a84b64a, author = {ESET Research}, title = {{No summer vacations for Zebrocy}}, date = {2019-09-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/}, language = {English}, urldate = {2019-11-14} } No summer vacations for Zebrocy
Zebrocy
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2019-06-03Kaspersky LabsGReAT
@online{great:20190603:zebrocys:25be7a9, author = {GReAT}, title = {{Zebrocy’s Multilanguage Malware Salad}}, date = {2019-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/zebrocys-multilanguage-malware-salad/90680/}, language = {English}, urldate = {2019-12-20} } Zebrocy’s Multilanguage Malware Salad
Zebrocy
2019-05-22ESET ResearchESET Research
@online{research:20190522:journey:0627ad7, author = {ESET Research}, title = {{A journey to Zebrocy land}}, date = {2019-05-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/}, language = {English}, urldate = {2019-11-14} } A journey to Zebrocy land
Zebrocy
2019-05-20Check PointBen Herzog
@online{herzog:20190520:malware:dac1524, author = {Ben Herzog}, title = {{Malware Against the C Monoculture}}, date = {2019-05-20}, organization = {Check Point}, url = {https://research.checkpoint.com/malware-against-the-c-monoculture/}, language = {English}, urldate = {2019-10-14} } Malware Against the C Monoculture
AdWind jRAT GhostMiner Zebrocy
2019-04-01Macnica NetworksMacnica Networks
@techreport{networks:20190401:trends:cf738dc, author = {Macnica Networks}, title = {{Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018}}, date = {2019-04-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf}, language = {Japanese}, urldate = {2021-03-02} } Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy
2019-01-24Kaspersky LabsKaspersky Lab ICS CERT
@online{cert:20190124:greyenergys:523e803, author = {Kaspersky Lab ICS CERT}, title = {{GreyEnergy’s overlap with Zebrocy}}, date = {2019-01-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/greyenergys-overlap-with-zebrocy/89506/}, language = {English}, urldate = {2019-12-20} } GreyEnergy’s overlap with Zebrocy
GreyEnergy Zebrocy
2019-01-11Kaspersky LabsGReAT
@online{great:20190111:zebrocy:671fed1, author = {GReAT}, title = {{A Zebrocy Go Downloader}}, date = {2019-01-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-zebrocy-go-downloader/89419/}, language = {English}, urldate = {2019-12-20} } A Zebrocy Go Downloader
Zebrocy
2018-12-21Vitali Kremez
@online{kremez:20181221:lets:46e594a, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth on APT28/Sofacy Zebrocy Golang Loader}}, date = {2018-12-21}, url = {https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html}, language = {English}, urldate = {2019-12-24} } Let's Learn: In-Depth on APT28/Sofacy Zebrocy Golang Loader
Zebrocy
2018-12-18paloalto Networks Unit 42Robert Falcone
@online{falcone:20181218:sofacy:3573b82, author = {Robert Falcone}, title = {{Sofacy Creates New ‘Go’ Variant of Zebrocy Tool}}, date = {2018-12-18}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/}, language = {English}, urldate = {2020-01-07} } Sofacy Creates New ‘Go’ Variant of Zebrocy Tool
Zebrocy
2018-12-10Vitali Kremez BlogVitali Kremez
@online{kremez:20181210:lets:f947fb1, author = {Vitali Kremez}, title = {{Let's Learn: Reviewing Sofacy's "Zebrocy" C++ Loader: Advanced Insight}}, date = {2018-12-10}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html}, language = {English}, urldate = {2020-01-09} } Let's Learn: Reviewing Sofacy's "Zebrocy" C++ Loader: Advanced Insight
Zebrocy
2018-11-29AccentureMichael Yip
@online{yip:20181129:snakemackerel:aa02eba, author = {Michael Yip}, title = {{Snakemackerel delivers Zekapab malware}}, date = {2018-11-29}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware}, language = {English}, urldate = {2019-12-10} } Snakemackerel delivers Zekapab malware
Zebrocy Sofacy
2018-11-20ESET ResearchESET Research
@online{research:20181120:sednit:caedbdb, author = {ESET Research}, title = {{Sednit: What’s going on with Zebrocy?}}, date = {2018-11-20}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/}, language = {English}, urldate = {2019-11-14} } Sednit: What’s going on with Zebrocy?
Zebrocy
2018-10-04SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181004:apt28:97a1356, author = {Critical Attack Discovery and Intelligence Team}, title = {{APT28: New Espionage Operations Target Military and Government Organizations}}, date = {2018-10-04}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government}, language = {English}, urldate = {2020-04-21} } APT28: New Espionage Operations Target Military and Government Organizations
LoJax Seduploader X-Agent XTunnel Zebrocy Sofacy
2018-06-06Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20180606:sofacy:6d3e723, author = {Bryan Lee and Robert Falcone}, title = {{Sofacy Group’s Parallel Attacks}}, date = {2018-06-06}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/}, language = {English}, urldate = {2019-12-20} } Sofacy Group’s Parallel Attacks
Koadic Zebrocy
2018-04-24ESET ResearchESET Research
@online{research:20180424:sednit:ab398cd, author = {ESET Research}, title = {{Sednit update: Analysis of Zebrocy}}, date = {2018-04-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/}, language = {English}, urldate = {2019-11-14} } Sednit update: Analysis of Zebrocy
Zebrocy Zebrocy (AutoIT)
Yara Rules
[TLP:WHITE] win_zebrocy_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_zebrocy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c40c eb07 8b16 895508 891e }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   eb07                 | jmp                 9
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   895508               | mov                 dword ptr [ebp + 8], edx
            //   891e                 | mov                 dword ptr [esi], ebx

        $sequence_1 = { 8d45b8 8b5598 0fbe1c10 83eb10 8d759c e8???????? }
            // n = 6, score = 100
            //   8d45b8               | lea                 eax, [ebp - 0x48]
            //   8b5598               | mov                 edx, dword ptr [ebp - 0x68]
            //   0fbe1c10             | movsx               ebx, byte ptr [eax + edx]
            //   83eb10               | sub                 ebx, 0x10
            //   8d759c               | lea                 esi, [ebp - 0x64]
            //   e8????????           |                     

        $sequence_2 = { 8bf8 be???????? e8???????? 5f 8bc6 }
            // n = 5, score = 100
            //   8bf8                 | mov                 edi, eax
            //   be????????           |                     
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   8bc6                 | mov                 eax, esi

        $sequence_3 = { 55 89e5 83ec10 c645ff01 }
            // n = 4, score = 100
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   83ec10               | sub                 esp, 0x10
            //   c645ff01             | mov                 byte ptr [ebp - 1], 1

        $sequence_4 = { 89f9 83ec1c e8???????? 85f6 }
            // n = 4, score = 100
            //   89f9                 | mov                 ecx, edi
            //   83ec1c               | sub                 esp, 0x1c
            //   e8????????           |                     
            //   85f6                 | test                esi, esi

        $sequence_5 = { 8d3c8b 8b8f6c080000 85c9 894e08 7403 89710c 8b4de0 }
            // n = 7, score = 100
            //   8d3c8b               | lea                 edi, [ebx + ecx*4]
            //   8b8f6c080000         | mov                 ecx, dword ptr [edi + 0x86c]
            //   85c9                 | test                ecx, ecx
            //   894e08               | mov                 dword ptr [esi + 8], ecx
            //   7403                 | je                  5
            //   89710c               | mov                 dword ptr [ecx + 0xc], esi
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]

        $sequence_6 = { 33db 6a02 68???????? 8d8db0f7ffff 51 }
            // n = 5, score = 100
            //   33db                 | xor                 ebx, ebx
            //   6a02                 | push                2
            //   68????????           |                     
            //   8d8db0f7ffff         | lea                 ecx, [ebp - 0x850]
            //   51                   | push                ecx

        $sequence_7 = { 7f10 ba00000800 89d9 e8???????? 89c7 }
            // n = 5, score = 100
            //   7f10                 | jg                  0x12
            //   ba00000800           | mov                 edx, 0x80000
            //   89d9                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   89c7                 | mov                 edi, eax

        $sequence_8 = { 85c0 0f8585000000 8bf3 8d4e02 8d642400 668b06 }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   0f8585000000         | jne                 0x8b
            //   8bf3                 | mov                 esi, ebx
            //   8d4e02               | lea                 ecx, [esi + 2]
            //   8d642400             | lea                 esp, [esp]
            //   668b06               | mov                 ax, word ptr [esi]

        $sequence_9 = { e8???????? ba???????? 89c3 e8???????? }
            // n = 4, score = 100
            //   e8????????           |                     
            //   ba????????           |                     
            //   89c3                 | mov                 ebx, eax
            //   e8????????           |                     

        $sequence_10 = { 83c002 99 f7f9 c1e002 8945e4 }
            // n = 5, score = 100
            //   83c002               | add                 eax, 2
            //   99                   | cdq                 
            //   f7f9                 | idiv                ecx
            //   c1e002               | shl                 eax, 2
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_11 = { e8???????? 83ff17 7403 47 ebdf 84db }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83ff17               | cmp                 edi, 0x17
            //   7403                 | je                  5
            //   47                   | inc                 edi
            //   ebdf                 | jmp                 0xffffffe1
            //   84db                 | test                bl, bl

        $sequence_12 = { 5d c21000 8b4d14 51 56 ff15???????? }
            // n = 6, score = 100
            //   5d                   | pop                 ebp
            //   c21000               | ret                 0x10
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   51                   | push                ecx
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_13 = { 7410 89f1 890424 ba???????? e8???????? }
            // n = 5, score = 100
            //   7410                 | je                  0x12
            //   89f1                 | mov                 ecx, esi
            //   890424               | mov                 dword ptr [esp], eax
            //   ba????????           |                     
            //   e8????????           |                     

        $sequence_14 = { b001 e9???????? 57 ff15???????? }
            // n = 4, score = 100
            //   b001                 | mov                 al, 1
            //   e9????????           |                     
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_15 = { 8b4508 33c9 3b04cdc0844200 7413 41 83f92d }
            // n = 6, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   33c9                 | xor                 ecx, ecx
            //   3b04cdc0844200       | cmp                 eax, dword ptr [ecx*8 + 0x4284c0]
            //   7413                 | je                  0x15
            //   41                   | inc                 ecx
            //   83f92d               | cmp                 ecx, 0x2d

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules