Fancy Bear Creates New Variant of Zebrocy Malware

Delaware, USA – December 19, 2018 – This month, researchers from Palo Alto discovered a new version of Zebrocy malware written using the Go programming language. It was used in a cyber-espionage campaign, which experts associate with attacks of the Fancy Bear group (aka APT28) targeted government organizations in North America and Europe. The first unsuccessful attempt to use this version of Zebrocy occurred back in October when the attackers spread LNK file disguised as a Word document, but because of an error in the file, no infection occurred. In a recent campaign, they used a Word file created on December 3, which downloaded a remote template containing lure image to trick a user into clicking the Enabling Content button. Because the shortened link was used to download the template, the researchers were able to establish that at least 75 users had opened a malicious document, and most of them are located in Turkey.

The new version of Zebrocy uses command and control servers that were used in other recent campaigns of the Fancy Bear group. Like the other variants of this malware written in AutoIt, Delphi, VB.NET, C# and Visual C++, it serves for reconnaissance and delivery of malware for the next stage of the attack. We updated SIEM rules in Threat Detection Marketplace to detect APT28 group tools and connections to their servers.

APT28 detection pack
Part 1:
Part 2:

Zebrocy Tool Detector: