The group continues to evolve its custom malware in an effort to evade detection.
The Zebrocy trojan – a custom downloader malware used by Russia-linked APT Sofacy (a.k.a. APT28, Fancy Bear or Sednit) – has a new variant. While it’s functionally much the same as its other versions, the new code was written using the Go programming language.
The similarities between the new payload and previous Zebrocy variants start with the fact that the versions share the same command-and-control (C2) URL, according to an analysis from Palo Alto’s Unit 42 group. Beyond that, additional overlaps include the fact that it does initial data collection on the compromised system, exfiltrates this information to the C2 server and attempts to download, install and execute an additional payload from the C2.
It also uses ASCII hexadecimal obfuscation of strings, a volume serial number without a hyphen obtained from the VOL command, uses the output from “systeminfo” and “tasklist” in the outbound C2 beacon, and uses the string “PrgStart” within the C2 beacon, according to Unit 42 analysis.