Fancy Bear Returns With New Zebrocy Backdoor

Delaware, USA – September 24, 2019 – In late summer, Fancy Bear launched a new campaign targeting Ministries of Foreign Affairs and embassies in Europe and Central Asia with rewritten Zebrocy backdoor. The campaign started on August 20, and two days later it was discovered by Telsy’s researchers. Unlike past companies, cybercriminals send an empty document that downloads from Dropbox a remote template that installs Zebrocy backdoor. ESET analyzed the delivery mechanism and payload revealing the next changes in the group’s activities. The macro contained in the template initiates a complex infection chain that leaves a lot of traces in the system, and security solutions can detect the suspicious creation and deletion of many files. During this process, a new installer written in Nim is dropped into the system, it is not particularly sophisticated, and its all tasks are to download and run the next stage downloader written in Golang. In the last year campaign, Adversaries already leveraged Golang malware, but this downloader has not yet been used in the wild and seems to be one of the group’s old tools rewritten in a different language. It takes screenshots, executes commands, and downloads the rest of the group tools for this campaign: the dumper and two backdoors written in Delphy and Golang. Golang Zebrocy backdoor is a new piece of malware, which does not differ in functionality from their previous backdoors.

Fancy Bear APT continues to rewrite its proven effective tools in various programming languages. A recently published study confirms that, unlike Chinese APTs, Russian state-sponsored APT groups do not share source code, and each new tool is either a new development or rewrite of existing malware.
You can learn more about techniques used by Fance Bear APT in MITRE ATT&CK section on Threat Detection Marketplace: