May 22, 2019

Fancy Bear improves weapon in its hacking arsenal

By Robert Scammell

Fancy Bear, the notorious Russian cyber espionage group behind countless cyberattacks, has improved the capabilities of Zebrocy, one of the weapons in its hacking arsenal.

Research by cybersecurity firm ESET reveals how the malware component can now issue more than 30 commands to a compromised computer, is harder to detect and infiltrates at lightning speed.

Fancy Bear first uses the Zebrocy malware family to install a backdoor to gather information about a victim’s computer. If cyberattackers notice files of value, they execute another command to steal the files.

Previous victims of Zebrocy have included embassies, ministries of foreign affairs and diplomats.

Zebrocy has typically been installed using exploits, but in August 2018 Fancy Bear launched a spear-phishing campaign to deliver first-stage Zebrocy components.

“It is unusual for the group to use this technique to deliver one of its malware components directly,” explains Alexis Dorais-Joncas, Security Intelligence Team Lead at ESET R&D centre in Montreal.

“Previously, it had used exploits to deliver and execute the first-stage malware, while in this campaign the group relied entirely on social engineering to lure victims into running the first part of the chain.”

Fancy Bear has long been associated with Russian intelligence agency the GRU and has been linked to high-profile cyberattacks around the world, including the Democratic National Committee hack in which troves of emails were stolen during the 2016 presidential election.

True number of Zebrocy victims “impossible” to estimate

ESET says it has detected at least 20 clicks on the link installing Zebrocy but warns the overall number of victims is “impossible” to estimate.

“Unfortunately, without the email message, we don’t know if there are instructions issued to the user, either, if there is any further social engineering, or if it relies solely on the victim’s curiosity. The archive contains two files; the first is an executable file, while the second is a decoy PDF document,” adds Dorais-Joncas.

The improved Zebrocy backdoor can start sending commands to a compromised computer just a few minutes after the victim runs the downloader.

“The detection ratio is definitely lower in comparison to the usual backdoors,” says Alexis Dorais-Joncas. “The very short time frame during which this backdoor is on the system and operating makes it harder to retrieve. Once its operators complete their evil deeds, they quickly remove it.”

Fancy Bear, also known as Sednit and ATP28, among others, has been using Zebrocy for several years. It was first given its name by Kaspersky Labs in August 2017.

In previous campaigns, Zebrocy has been spread using malicious email documents named ‘Syria – Russia provocations.doc’ and ‘Note Letter Mary Christmas Card.doc’.

Read more: Political party cybersecurity still lacking ahead of key elections