Phishing Emails With COVID-19 Themes Delivered Zebrocy MalwareResearchers: Backdoor Tied to Russia-Linked Group
Russia-linked hackers used phishing emails with COVID-19 themes as a way to infect devices with a backdoor called Zebrocy, the security firm Intezer reports.
Intezer says the campaign, which was active through at least November, may be the work of the Russian-linked hacking group Sofacy, also known as APT28 and Fancy Bear. The researchers linked the malware to this group by comparing it to other malicious code the group has used.
Sofacy has been linked to numerous attacks against governments and companies across the world. In the past week, Norway accused the group of hacking emails of lawmakers and others during an attack in August (see: Norway Says Russia-Linked APT28 Hacked Parliament).
Zebrocy is a backdoor mainly used against government agencies and commercial organizations involved in foreign affairs, according to Intezer’s research report. In October, the U.S Cyber Command and the Cybersecurity and Infrastructure Security Agency issued a warning about updated versions of this malware (see: Updated Malware Tied to Russian Hackers).
In the campaign Intezer examined, the hackers used phishing messages portrayed as offering updates about Sinopharm International Corp. - a Chinese pharmaceutical company that has developed a COVID-19 vaccine that is going through clinical trials.
The rush to produce a vaccine for COVID-19 is driving more cybercriminals and nation-state actors to use news about a possible breakthrough as a lure for phishing and spamming campaigns, according to law enforcement officials (see: Interpol: Organized Crime to Capitalize on COVID-19 Vaccines).
In some cases, the phishing emails that were part of the Sofacy campaign appeared to originate with India's Directorate General of Civil Aviation, which helps investigate aircraft accidents, according to the report.
Virtual Hard Drives
The campaign that Intezer examined used a suspicious Virtual Hard Disk file that was uploaded to the VirusTotal scanning platform in November. Virtual Hard Disk, or VHD, is a native file format for virtual hard drives used by Microsoft's Hyper-V hypervisor. Windows 10 devices have native support for the file format, which allows the user to mount the file and access its content, according to the report.
Security researchers have previously warned that antivirus and other security tools will sometimes miss malware uploaded to a VHD, allowing the malicious code to infect a device.
The VHD files that Intezer found uploaded to VirusTotal contained a PDF designed to look like a presentation about Sinopharm International Corp. that offered details and updates about COVID-19 vaccine research.
The VHD file also contained a malicious Microsoft Word document that acted as an executable and installed the Zebrocy backdoor on a device if opened, according to the report. The researchers also note that this version of the malware was written in the Golang programming language, which is the newer version that CISA and Cyber Command warned about in October.
The VHD file could be attached to a phishing email and sent to a victim under the guise of updates about COVID-19 vaccines. If the Word document was opened, the target's device was compromised by the backdoor, the report notes.
The researchers say that one version of the VHD file was uploaded to VirusTotal from Kazakhstan in November. The researchers also found another version of the file uploaded from Azerbaijan in October.
Kazakhstan and Azerbaijan have been targeted by Sofacy, according to the report. The researchers also note that both versions of the Zebrocy backdoor found in the virtual files appear to connect to the same command-and-control server.