An elite Russia-linked hacking group is creating multiple versions of one of its go-to malicious tools in an apparent attempt to make its activity harder to detect, according to research published Tuesday by Palo Alto Networks.
The company’s Unit42 threat intelligence team says that the hacker group Sofacy, also known as APT28, Fancy Bear and many other names, has been spotted using a version of the Zebrocy trojan written in the “Go” programming language in multiple phishing campaigns. The findings add to a list of Zebrocy variants written in different types of code.
Researchers and Western governments have largely attributed APT28 to Russian intelligence services.
“The use of a different programming language to create a functionally similar Trojan is not new to this group, as past Zebrocy variants have been developed in AutoIt, Delphi, VB.NET, C# and Visual C++,” the researchers wrote. “While we cannot be certain the impetus for this, we believe the threat group uses multiple languages to create their Trojans to make them differ structurally and visually to make detection more difficult.”
Zebrocy is piece of malware that creates a backdoor on a victim’s computer that can then be used to deploy further capabilities, usually for espionage. Researchers with a number of cybersecurity companies have noted APT28’s increased use of Zebrocy as of late.
Unit 42 researchers said that the newly discovered Go version of Zebrocy was detected in two different APT28-linked campaigns. In one of them, a Russian language email sent on Oct. 11 purports to be about the “effects of U.S. sanctions on the Russian economy.” The email attempts to deliver a malicious attachment that would ultimately deploy Zebrocy. However, the infection was not successful in this case because of a coding error on the part of the attackers, the researchers said.
Researchers said the attackers also used the Go version of Zebrocy in a previously observed campaign targeting government entities in North America, Europe and a former Soviet state. The campaign involved the use of Microsoft Word documents that are based on current events and prompt the victim to enable macros, resulting in a Zebrocy infection. Palo Alto Networks said that in this particular case, a shortened link that was found in the document was accessed from Turkey 75 times as of Dec. 5.
“Regardless of the attack’s effectiveness, the techniques and indicators we observed still provide analytical points for correlation and should be included in an organization’s security defenses as the group may use the payload and infrastructure in future attacks,” the report says.