Associated Software: Zekapab
Contributors: Emily Ratliff, IBM
Associated Software Descriptions
|Enterprise||T1119||Automated Collection||Zebrocy scans the system and automatically collects files with the following extensions: .doc, .docx, ,.xls, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .jpeg, .bmp, .tiff, .kum, .tlg, .sbx, .cr, .hse, .hsf, and .lhz.  |
|Enterprise||T1059||Command-Line Interface||Zebrocy uses cmd.exe to execute commands on the system. |
|Enterprise||T1094||Custom Command and Control Protocol||Zebrocy uses raw sockets to communicate with its C2 server. |
|Enterprise||T1132||Data Encoding||Zebrocy has used URL/Percent Encoding on data exfiltrated via HTTP POST requests. |
|Enterprise||T1022||Data Encrypted||Zebrocy uses an encryption method similar to RC4 as well as AES to encrypt data before exfiltration.  |
|Enterprise||T1074||Data Staged||Zebrocy stores all collected information in a single file before exfiltration. |
|Enterprise||T1140||Deobfuscate/Decode Files or Information||Zebrocy decodes its secondary payload and writes it to the victim’s machine. Zebrocy also uses AES and XOR to decrypt strings and payloads.  |
|Enterprise||T1041||Exfiltration Over Command and Control Channel||Zebrocy has exfiltrated data to the designated C2 server using HTTP POST requests. |
|Enterprise||T1083||File and Directory Discovery||
Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the
|Enterprise||T1107||File Deletion||Zebrocy has a command to delete files and directories.  |
|Enterprise||T1179||Hooking||Zebrocy installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method. |
|Enterprise||T1037||Logon Scripts||Zebrocy performs persistence via adding a Registry key with a logon script. |
|Enterprise||T1135||Network Share Discovery||Zebrocy identifies network drives when they are added to victim systems. |
|Enterprise||T1120||Peripheral Device Discovery||Zebrocy enumerates information about connected storage devices. |
Zebrocy uses the
Zebrocy executes the
|Enterprise||T1060||Registry Run Keys / Startup Folder||Zebrocy creates an entry in a Registry Run key for the malware to execute on startup.   |
|Enterprise||T1105||Remote File Copy||Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.    |
|Enterprise||T1113||Screen Capture||A variant of Zebrocy captures screenshots of the victim’s machine in JPEG and BMP format.     |
|Enterprise||T1045||Software Packing||Zebrocy's Delphi variant was packed with UPX.  |
|Enterprise||T1071||Standard Application Layer Protocol||Zebrocy uses HTTP, SMTP, and POP3 for C2.      |
|Enterprise||T1032||Standard Cryptographic Protocol||Zebrocy uses SSL and AES ECB for encrypting C2 communications.  |
|Enterprise||T1082||System Information Discovery||
Zebrocy collects the OS version, computer name and serial number for the storage volume C:. Zebrocy also runs the
|Enterprise||T1016||System Network Configuration Discovery||
Zebrocy runs the
|Enterprise||T1049||System Network Connections Discovery||
|Enterprise||T1033||System Owner/User Discovery||Zebrocy gets the username from the system. |
|Enterprise||T1124||System Time Discovery||Zebrocy gathers the current time zone and date information from the system. |
|Enterprise||T1065||Uncommonly Used Port||Zebrocy uses port 465 for C2. |
|Enterprise||T1047||Windows Management Instrumentation||One variant of Zebrocy uses WMI queries to gather information. |
Groups That Use This Software
|G0007||APT28||    |
- Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
- Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
- Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
- ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
- ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
- Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
- Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
- Shoorbajee, Z. (2018, November 29). Accenture: Russian hackers using Brexit talks to disguise phishing lures. Retrieved July 16, 2019.