Register to stream ATT&CKcon 2.0 October 29-30


Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, and VB.NET. [1][2][3]

ID: S0251
Associated Software: Zekapab
Platforms: Windows
Contributors: Emily Ratliff, IBM
Version: 2.0

Associated Software Descriptions

Name Description
Zekapab [8][6]

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection Zebrocy scans the system and automatically collects files with the following extensions: .doc, .docx, ,.xls, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .jpeg, .bmp, .tiff, .kum, .tlg, .sbx, .cr, .hse, .hsf, and .lhz. [4] [5]
Enterprise T1059 Command-Line Interface Zebrocy uses cmd.exe to execute commands on the system. [5]
Enterprise T1094 Custom Command and Control Protocol Zebrocy uses raw sockets to communicate with its C2 server. [1]
Enterprise T1132 Data Encoding Zebrocy has used URL/Percent Encoding on data exfiltrated via HTTP POST requests. [6]
Enterprise T1022 Data Encrypted Zebrocy uses an encryption method similar to RC4 as well as AES to encrypt data before exfiltration. [7] [4]
Enterprise T1074 Data Staged Zebrocy stores all collected information in a single file before exfiltration. [4]
Enterprise T1140 Deobfuscate/Decode Files or Information Zebrocy decodes its secondary payload and writes it to the victim’s machine. Zebrocy also uses AES and XOR to decrypt strings and payloads. [2] [4]
Enterprise T1041 Exfiltration Over Command and Control Channel Zebrocy has exfiltrated data to the designated C2 server using HTTP POST requests. [6]
Enterprise T1083 File and Directory Discovery Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the echo %APPDATA% command to list the contents of the directory. Zebrocy can obtain the current execution path as well as perform drive enumeration. [7] [4] [5] [6]
Enterprise T1107 File Deletion Zebrocy has a command to delete files and directories. [4] [5]
Enterprise T1179 Hooking Zebrocy installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method. [7]
Enterprise T1037 Logon Scripts Zebrocy performs persistence via adding a Registry key with a logon script. [4]
Enterprise T1135 Network Share Discovery Zebrocy identifies network drives when they are added to victim systems. [7]
Enterprise T1120 Peripheral Device Discovery Zebrocy enumerates information about connected storage devices. [2]
Enterprise T1057 Process Discovery Zebrocy uses the tasklist and wmic process get Capture, ExecutablePath commands to gather the processes running on the system. [2] [4] [3] [5] [6]
Enterprise T1012 Query Registry Zebrocy executes the reg query command to obtain information in the Registry. [5]
Enterprise T1060 Registry Run Keys / Startup Folder Zebrocy creates an entry in a Registry Run key for the malware to execute on startup. [4] [5] [6]
Enterprise T1105 Remote File Copy Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload. [1] [2] [5] [6]
Enterprise T1113 Screen Capture A variant of Zebrocy captures screenshots of the victim’s machine in JPEG and BMP format. [2] [4] [3] [5] [6]
Enterprise T1045 Software Packing Zebrocy's Delphi variant was packed with UPX. [3] [6]
Enterprise T1071 Standard Application Layer Protocol Zebrocy uses HTTP, SMTP, and POP3 for C2. [1] [2] [4] [3] [5] [6]
Enterprise T1032 Standard Cryptographic Protocol Zebrocy uses SSL and AES ECB for encrypting C2 communications. [4] [5]
Enterprise T1082 System Information Discovery Zebrocy collects the OS version, computer name and serial number for the storage volume C:. Zebrocy also runs the systeminfo command to gather system information. [1] [2] [4] [3] [5] [6]
Enterprise T1016 System Network Configuration Discovery Zebrocy runs the ipconfig /all command. [5]
Enterprise T1049 System Network Connections Discovery Zebrocy uses netstat -aon to gather network connection information. [5]
Enterprise T1033 System Owner/User Discovery Zebrocy gets the username from the system. [4]
Enterprise T1124 System Time Discovery Zebrocy gathers the current time zone and date information from the system. [4]
Enterprise T1065 Uncommonly Used Port Zebrocy uses port 465 for C2. [4]
Enterprise T1047 Windows Management Instrumentation One variant of Zebrocy uses WMI queries to gather information. [3]

Groups That Use This Software

ID Name References
G0007 APT28 [1] [2] [7] [3] [5]