Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
Zebrocy’s Multilanguage Malware Salad
Zebrocy’s Multilanguage Malware Salad
harlan4096 Online
MalWare Zoo Team
*******
Posts: 15,701
Threads: 10,082
Thanks Received: 9,296 in 7,442 posts
Thanks Given: 10,201
Joined: 12 September 18
#1
Bug  06 June 19, 07:42
Quote:
[Image: dish.png]

Zebrocy is Russian speaking APT that presents a strange set of stripes. To keep things simple, there are three things to know about Zebrocy

* Zebrocy is an active sub-group of victim profiling and access specialists

* Zebrocy maintains a lineage back through 2013, sharing malware artefacts and similarities with BlackEnergy

* The past five years of Zebrocy infrastructure, malware set, and targeting have similarities and overlaps with both the Sofacy and BlackEnergy APTs, yet throughout that time it has remained different from both of those groups

We originally described a rare “Zebrocy Delphi payload” in late 2015 private reports. That malware set, activity, and infrastructure has greatly expanded. Its malware set has been coded in a half dozen languages or so. Related activity has gone on for years, spearphished hundreds of government, foreign affairs related, and military related targets, and initially was regarded as a Sofacy subset.

Essentially, in our SAS2019 presentation “Zebrocy’s Multilanguage Malware Salad”, we publicly provided for the first time original insights on Zebrocy and its characteristics, based on five years of research and private reports on this group:

* Game is on – a small new Zebrocy spearphish wave with a new Golang downloader variant was sent out the week before SAS2019

* Consistent profiling and process enumeration reporting behavior has been redeveloped and redeployed in Zebrocy backdoors across five+ years

* Multiple bespoke second stage implants perform credential harvesting based on stage one process enumeration

* Copy-and-paste coding tendencies

* Complex overlaps with Sofacy and BlackEnergy/GreyEnergy over five years, suggesting a supportive role as a sub-group

* Initial malware development and deployment lineage with BlackEnergy stretches back to 2013

While Zebrocy has never presented 0day exploits, this group’s lineage comes from not-so-humble BlackEnergy and Sofacy beginnings. The group presents an agile and capable malware set, it spearphishing and intrusion activity surged in volume in 2018, and their efficacy requires network defenders’ attention.
Continue Reading
[-] The following 1 user says Thank You to harlan4096 for this post:
  • silversurfer
Find
Reply


Messages In This Thread
Zebrocy’s Multilanguage Malware Salad - by harlan4096 - 06 June 19, 07:42

Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
After Stacked L3, AMD Is Now Exploring W...
In a new research ...harlan4096 — 08:28
Opera 126.0.5750.37
A new Opera Stable...harlan4096 — 08:24
Brave 1.86.139 (Jan 15, 2026)
Release Notes v1.8...harlan4096 — 08:23
Opera One Adds Color-Coded Tab Islands ...
Very nice info. Than...jasonX — 03:06
XYplorer
XYplorer (64-bit) v2...jasonX — 03:05

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (50)theoldevext
avatar (45)algratCep
avatar (50)Qlaude2Sap
avatar (51)Josepharelf
avatar (40)kholukrefar
avatar (49)Lauraimike
avatar (51)WilsonWag
avatar (49)StevenPiole
avatar (40)zetssToomy
avatar (47)GornOr
avatar (50)Jamesmog
avatar (38)opeqyrav
avatar (38)ivanoFloom
avatar (41)uxegihor

[-]
Online Staff
There are no staff members currently online.

>