Urian B., Tech Times

A particular Russian cyberthreat actor that is known for its destructive malware campaigns has just recently appeared again in a particular threat landscape with another attack that is leveraging the COVID-19 as particular phishing lures. This is said to once again show how adversaries are really adept at being able to repurpose the given current events in order for them to gain advantage.

Covid online scam

In an article by The Hacker News, there was reportedly a link between the operation to a particular sub-group called the APT28 which is also known as Fancy Bear, Sednit, Sofancy, or even STRONTIUM. The cybersecurity firm known as Intezer stated that these pandemic-themed phishing emails were actually employed in order to deliver the particular Go version of Zebrocy otherwise known as Zekapab malware.

The known cybersecurity firm gave a statement to The Hacker News noting that the campaigns were actually observed some time late last month. Zebrocy is said to be primarily delivered through phishing attacks that can actually contain certain decoy Microsoft Office docs with macros as well as certain executable file attachments.

COVID phishing attempt

This particular type of attacks were first spotted back in 2015, according to an article by SecureList, the operators that were behind this malware have said to be found to overlap with a particular GreyEnergy. This is a threat group that is believed to be a particular successor of the known BlackEnergy otherwise known as Sandworm. This suggests its role as a low-key sub-group that can be linked with Sofacy and GreyEnergy.

This type of attack is said to operate as a certain backdoor and downloader that is capable of collecting certain system information, capturing screenshots, file manipulation, as well as executing certain malicious commands that will then be exfiltrated to a certain attacker-controlled server. While it is said that Zebrocy was originally written in something called Delphocy or Delphi, it has been implemented in about half a dozen different languages. These include AutoIT, C#, C++, Python, and last but not the least, VB.NET.

Read Also: Hackers Steal 81,000 Facebook Accounts, Selling Them for as Low as 10 Cents Each

How does Phishing work

It was said that this specific campaign that was spotted by Intezer utilizes the Go version of the given malware. This was first ever documented by the Palo Alto Networks  back in October of 2018 and later on Kaspersky some time early 2019.

Once it is mounted, the said VHD file will appear as a sort of external drive with two different files. One would be a PDF documentation that should supposedly contain presentation slides about the Sinopharm International Corporation. This is a Chinese-based pharma company whose own COVID-19 vaccine has proven to be about 86% effective against the virus in certain late-stage clinical trials. The second file is said to be a certain executable that will look like a Word document that will run the Zebrocy malware once it is opened.

Related Article: Over 100,000 Medical Data Records Could be Dangerously Exposed

This article is owned by Tech Times

Written by Urian Buenconsejo

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Tags: COVID-19 Covid phishing Malware Russian hacker APT28
Join the Discussion