Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, and VB.NET. [1][2][3]

ID: S0251
Platforms: Windows

Version: 1.1

Techniques Used

EnterpriseT1119Automated CollectionZebrocy scans the system and collects files with the following extensions: .docs, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .bmp, .tiff.[4]
EnterpriseT1094Custom Command and Control ProtocolZebrocy uses raw sockets to communicate with its C2 server.[1]
EnterpriseT1022Data EncryptedZebrocy uses an encryption method similar to RC4 as well as AES to encrypt data before exfiltration.[5][4]
EnterpriseT1074Data StagedZebrocy stores all collected information in a single file before exfiltration.[4]
EnterpriseT1140Deobfuscate/Decode Files or InformationZebrocy decodes its secondary payload and writes it to the victim’s machine.Zebrocy uses AES and XOR to decrypt strings and payloads.[2][4]
EnterpriseT1083File and Directory DiscoveryZebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar.[5][4]
EnterpriseT1107File DeletionZebrocy has a command to delete files and directories.[4]
EnterpriseT1179HookingZebrocy installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method.[5]
EnterpriseT1037Logon ScriptsZebrocy performs persistence via adding a Registry key with a logon script.[4]
EnterpriseT1135Network Share DiscoveryZebrocy identifies network drives when they are added to victim systems.[5]
EnterpriseT1120Peripheral Device DiscoveryZebrocy enumerates information about connected storage devices.[2]
EnterpriseT1057Process DiscoveryZebrocy uses the tasklist command to gather the processes running on the system.[2][4][3]
EnterpriseT1060Registry Run Keys / Startup FolderZebrocy creates an entry in the Registry’s run keys for the malware to execute on startup.[4]
EnterpriseT1105Remote File CopyZebrocy obtains additional code to execute on the victim's machine. Zebrocy downloads a secondary payload and writes it to the victim’s machine.[1][2]
EnterpriseT1113Screen CaptureA variant of Zebrocy captures screenshots of the victim’s machine in JPEG and BMP format.[2][4][3]
EnterpriseT1045Software PackingZebrocy's Delphi variant was packed with UPX.[3]
EnterpriseT1071Standard Application Layer ProtocolZebrocy uses HTTP, SMTP, and POP3 for C2.[1][2][4][3]
EnterpriseT1032Standard Cryptographic ProtocolZebrocy uses SSL for encrypting C2 communications.[4]
EnterpriseT1082System Information DiscoveryZebrocy collects the OS version, computer name and serial number for the storage volume C:\. Zebrocy also runs the systeminfo command to gather system information.[1][2][4][3]
EnterpriseT1033System Owner/User DiscoveryZebrocy gets the username from the system.[4]
EnterpriseT1124System Time DiscoveryZebrocy gathers the current time zone and date information from the system.[4]
EnterpriseT1065Uncommonly Used PortZebrocy uses Port Number 465 for C2.[4]
EnterpriseT1047Windows Management InstrumentationOne variant of Zebrocy uses WMI queries to gather information.[3]


Groups that use this software: