ESET: Analyzing New Zebrocy Components

    Cyborg Sednit has been active for at least 2004 since and regularly appears in the news. Sednit (better known as Fancy Bear) is believed to be behind the burglary of the US Democratic Party's National Committee before the 2016 elections, the World Anti-Doping Agency (WADA), the TV5Monde television network and other attacks. The group has a set of malicious tools in the group’s arsenal, some of which we have documented in the last report .

    We recently released a report on LoJax - a UEFI rootkit, which is also related to Sednit and was used in attacks in the Balkans, in Central and Eastern Europe.

    In August 2018, Sednit operators deployed two new Zebrocy components, and from this point on we see a surge in the use of this tool. Zebrocy - a set of loaders, droppers and backdoors. Loaders and droppers are designed for intelligence, while backdoors provide persistence and spyware. These new components have an unusual way to exfiltrate the collected data through the SMTP and POP3 protocols associated with mail services.

    The victims of the new tools remind the victims mentioned in our previous post about Zebrocy , as well as at Kaspersky Lab . The targets of the attacks are in Central Asia, Central and Eastern Europe, mainly embassies, foreign ministries and diplomats.


    Figure 1. Diagram of old and new Zebrocy components.

    For two years, the Sednit cybergroup used phishing emails as a vector for infecting Zebrocy (variants 1 and 2 in the table above). After a compromise, the attackers used various first-stage loaders to gather information about the victim and, if interested, after a few hours or days, they deployed one of the second-level backdoors.

    The classic scheme of the campaign Zebrocy - getting the victim archive in the attachment to the letter. The archive contains two files, one of which is a harmless document, and the second is an executable file. Attackers try to deceive the victim by naming the second file with a typical name for the document or image and using the “double extension”.

    In the new campaign (option 3 in the table) a more complicated scheme is used - we will analyze it below.


    The first binary file is Delphi-dropper, which is quite unusual for the Zebrocy campaign. In most cases, it is rather a bootloader installed on the victim’s system at the first stage of the attack.

    With several methods, the dropper complicates reverse engineering. In the samples examined, he uses the liver keyword to indicate the beginning and end of key elements, as shown below.

    $ yara -s tag_yara.yar  SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe
    find_tag SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe
    0x4c260:$tag: l\x00i\x00v\x00e\x00r\x00
    0x6f000:$tag: liver
    0x6f020:$tag: liver
    0x13ab0c:$tag: liver

    The YARA rule above looks for the liver row . The first line of the liver is used in the code, but does not share anything, while the rest share the key descriptor, the image (its hexdump is shown below) and the encrypted component in the dropper.

    $ hexdump -Cn 48 -s 0x6f000  SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe
    0006f000  6c 69 76 65 72 4f 70 65  6e 41 69 72 33 39 30 34  |liverOpenAir3904|
    0006f010  35 5f 42 61 79 72 65 6e  5f 4d 75 6e 63 68 65 6e  |5_Bayren_Munchen|
    0006f020  6c 69 76 65 72 ff d8 ff  e0 00 10 4a 46 49 46 00  |liver……JFIF.|

    First, the data is saved in a picture with the file name C: \ Users \ public \ Pictures \ scanPassport.jpg , if such file does not already exist.

    Interestingly, the dropper file is called SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe , which also suggests phishing schemes related to passports and travel information. This may mean that the operator could know the purpose of the phishing message. The dropper opens the image and, if the file already exists, stops execution. Otherwise, it opens it and gets the OpenAir39045_Bayren_Munchen key handle . The image is missing, although the format is correct - see the picture below.

    Figure 2. ScanPassport.jpg

    The key descriptor string contains Bayren_Munchen- most likely, this is a reference to the FC Bayern Munich football team. In any case, it is not the content of the descriptor that is important, but its length, with which you can get the XOR key to decrypt the component.

    To get the XOR key, the dropper looks for the last liver keyword and indents it for the length of the descriptor. The XOR key length is 27 (0x1b) bytes (identical to the key handle length).

    Using the XOR key and a simple loop, the dropper decrypts the last part - the encrypted component immediately after the last tag to the end of the file. Note that the MZ header of the executable begins immediately after the liver keyword., and the XOR key is obtained from a portion of the PE header, usually being a sequence of 0x00 bytes, recovered after decrypting the component, as shown in the figure below.

    Figure 3. Encrypted component (left) compared to the decrypted component (right).

    The component is reset to C: \ Users \ Public \ Documents \ AcrobatReader.txt and converts the file to C: \ Users \ Public \ Documents \ AcrobatReader.exe .

    Perhaps this is an attempt to bypass the protection of the PC, issuing a warning when a binary file flushes an .exe file to disk.

    Once again, the operator tries to deceive the victim, and if she pays attention to the directory, she will see the picture as in the following figure:

    Figure 4. The component looks like a PDF file

    By default, Windows hides the extension, and this is used by the attacker who dumps the executable file into the Documents folder and disguises it as PDF.

    Finally, the dropper performs the hosted component and exits.

    MSIL Mail Downloader

    Delivered component of the previous dropper - packaged with UPX loader MSIL. For a better understanding of the process logic is described below, then the source code is given and the control scheme is considered.

    The main method calls Run to run the application, which then creates Form1 .

        Application.Run((Form) new Form1());

    Form1 assigns many variables, including the new Timer for seven of them.

        this.start = new Timer(this.components);
        this.inf = new Timer(this.components);
        this.txt = new Timer(this.components);
        this.subject = new Timer(this.components); = new Timer(this.components);
        this.load = new Timer(this.components);
        this.screen = new Timer(this.components);

    The Timer object has three important fields:

    • Enabled: indicates the enabled state of the timer
    • Interval: time between events in milliseconds
    • Tick: callback is performed after the timer interval expires and in the case of the included timer

    Fields are labeled as follows:

       this.start.Enabled = true;
        this.start.Interval = 120000;
        this.start.Tick += new EventHandler(this.start_Tick);
        this.inf.Interval = 10000;
        this.inf.Tick += new EventHandler(this.inf_Tick);
        this.txt.Interval = 120000;
        this.txt.Tick += new EventHandler(this.txt_Tick);
        this.subject.Interval = 120000;
        this.subject.Tick += new EventHandler(this.subject_Tick); = 60000; += new EventHandler(this.run_Tick);
        this.load.Interval = 120000;
        this.load.Tick += new EventHandler(this.load_Tick);
        this.screen.Interval = 8000;
        this.screen.Tick += new EventHandler(this.screen_Tick);

    Interval is set for each object from 8 seconds to 2 minutes. Callback is added to the event handler. Note that only start sets the value “true” to Enabled , which means that after 2 minutes (12,000 milliseconds = 120 seconds), start_Tick will be called by the event handler.

        private void start_Tick(object sender, EventArgs e)
                this.start.Enabled = false;
                Lenor lenor = new Lenor();
                this.dir = !Directory.Exists(this.label15.Text.ToString()) ? this.label16.Text.ToString() + "\" : this.label15.Text.ToString() + "\";
                this.att = this.dir + "audev.txt";
                this._id =;
                this.inf.Enabled = true;

    Then each method demonstrates identical behavior - changes the value of Enabled to false at the beginning. The method is executed, and then changes the Enabled value of the next object to true , which activates the next timer. The variable Enabled is used by the operator to create something like a state machine - if the function fails, the mechanism repeats its execution until it receives a positive result. The time between executions of two functions can be used as an attempt to bypass anti-virus protection by adding a delay.

    Now, after describing the structure of each method, we turn to the control algorithm. Below is an overview of the steps in the form of email exchange between mailboxes.

    Figure 5. Email exchange

    Malware checks for the existence of a specific path used to reset each of the files during execution. If possible, use C: \ Users \ Public \ Videos \ , otherwise - C: \ Documents and Settings \ All Users \ Documents \ as the default directory. Note that the second path is specific to Windows XP, while the first is for Vista and higher.

    A 16-byte id is generated by concatenating the serial number of the C volume: and the user name; It is stored in the audev.txt file .

    The loader collects the following information:
    - current application path
    - operating system version
    - system directory
    - user domain
    - machine name
    - user name
    - current time zone
    - current date
    - list of logical drives and information about each of them (model, serial number, etc.)
    - directory listing C: \ Program Files \ and C: \ Program Files (x86) \
    - process list

    This data is stored in the file C: \ Users \ Public \ Videos \ si.ini and sent by email in an attachment via SMTPS using the default port 465. The body of the letter contains the string SI (which is may mean System Information), the recipient of the letter is . For all information exchange, the subject of letters is designated asid .

    The operator decided to have several spare addresses and sends the same letter to two other recipients, most likely in case the main address does not work. After sending the letter, the loader deletes the si.ini file .

    During the first launch of the malware, a set.txt file is created with the text {System_Parametrs = 10} inside and an entry in the Windows registry key.

    Figure 6. Registry persistence

    One screenshot is taken under the name scx.bin from the victim's computer and sent by e-mail with the text SC (which may mean Screenshot) in the body of the letter.

    After sending, the malware contacts the mailbox kae.mezhnosh@post.czvia POP3 protocol over SSL (port 995) and searches for messages with a subject that matches id . If such a message exists and the body is not empty, the malware decrypts it and sends a message with okey in the body to . The content of the previously received message is cleared and parsed as follows:

    string[] strArray = this._adr.Replace("B&", "").Replace("Db", "").Split('%');
            string str1 = strArray[0];
            string str2 = strArray[1];

    Two lines are obtained: the first is the password, and the second is the username for the mail address.

    New credentials are used to connect to the received mailbox, search for messages in it with a topic that matches the id of the malware, and applications with the string audev in the file name. If both conditions are met, the malware saves the application and deletes the message from the server.

    The message log is sent to , and messages received via POP3 come from the addressee with recently received user data.

    The attacker's scheme complicates the investigation. First, if you have a loader with letters, you can not connect to the mailbox containing the next step.

    Secondly, if you receive mail credentials, you still cannot get the next payload, because it is deleted upon receipt.

    When the downloader successfully writes the attachment to disk, it sends a message in the mail with okey2 in the body and an attachment l.txt containing 090 . The same file is overwritten with zeros, and the malware tries to get another message. If this works, the l.txt file is sent with okey3 in the body. The content of the attachment is the directory and file name. Malvar moves the file audev at this address. Finally, the malware sends a letter with okey4 in the body and l.txtin the attachment. This launches the executable file audev.exe and checks for the presence of the string audev in the process list .

        foreach (Process process in Process.GetProcesses())
            if (process.ProcessName.Contains("audev"))

    If such a name is found, the last letter will be sent, containing okey5 and l.txt in the attachment. Finally, l.txt and set.txt are deleted, the created Windows registry key is deleted, and the program is terminated.

    Mail Loader on Delphi

    The main role of the loader is to assess the importance of the compromised system and, if it seems interesting, to download and execute the latest Zebrocy loader.

    The binary file is written in Delphi and packaged with UPX. The full definition of the TForm1 object can be found in the section with its resources, it lists some of the configuration parameters used. The following sections describe the initialization, capabilities, and bootloader network protocol.


    First, the set of strings, which are email addresses and passwords, is decrypted. The operator applies the AES ECB encryption algorithm . Each line is decrypted in hexadecimal, where the first four bytes correspond to the final size of the decrypted line (the decrypted lines at the end may contain some indents). The TForm1 object contains two AES keys: the first is used to encrypt data, and the second is used to decrypt them.

    Mail addresses and passwords are used by the operator to send commands for Malvari, as well as to receive information collected from the victim’s computer. The communication protocols are SMTP and POP3 - both over SSL. To use OpenSSL, malware removes and applies two OpenSSL dynamic libraries:libeay32.dll (98c348cab0f835d6cf17c3a31cd5811f86c0388b) and ssleay32.dll (6d981d71895581dfb103170486b8614f7f203bdc) .

    Figure 7. Properties of the OpenSSL DLL

    Note that all files are dumped into the working directory of Malvari C: \ Users \ Public \ .

    Persistence is ensured during the first execution of the Malvari by means of the well-known entry script script technique . A file with the registration.bat script is created and several lines are written from the TForm1 object . The final script looks like this:

    reg add HKCU\Environment /v "UserInitMprLogonScript" /t REG_EXPAND_SZ /d "C:\Users\Public\Videos\audev.exe" /f
    del C:\Users\Public\Videos\registr.bat

    Last but not least, the malware queue creates an id , in the same way as in the previously described Zebrocy binary files. It gets the username using the GetUserNameW Windows API and adds the serial number of the C: \ drive to the beginning.


    Given that there are several conditions and procedures for collecting information about a victim, a description of its various capabilities is given below. The scan configuration is stored in the TForm1 object , where seven different possibilities are collected to collect information from the victim's computer.

    Starting with a simple scan, the first information that malware can get is related to files with the following extensions: .docx, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .bmp, .tiff . For each of the files found on the disk, the malware receives the full path and the last modified date. This information is encrypted using the AES key, which we talked about earlier, and is stored in the 0.txt file . Other scans target .dat, .json, .db extensionsand, as in the previous case, gets the full path and last date of the file change. Then encrypts them and stores in the file 57.txt .

    Listing of running processes is another possibility for Malvari, which allows storing information in the 08.txt file . It looks like this:

    [System Process]

    The i.txt file contains general information about the victim’s computer, as well as some information about the malware (the version number and the path it takes). See example below:

     C: fixed; size= 102297 Mb, free=83927 Mb S/N: [redacted]
     OSV: Windows 7
    WinType: 32
    WinDir: C:\Windows
    Lang: English (United States)
    TZ: UTC1:0 Romance Standard Time
    HostN: [redacted]-PC
    User: [redacted]
    C:\Program Files\Common Files
    C:\Program Files\desktop.ini
    C:\Program Files\DVD Maker
    C:\Program Files\Internet Explorer
    C:\Program Files\Microsoft.NET
    C:\Program Files\MSBuild
    C:\Program Files\Reference Assemblies
    C:\Program Files\Uninstall Information
    C:\Program Files\Windows Defender

    Malware can take screenshots, which are saved in the format 2 \ [YYYY-mm-dd HH-MM-SS] -Image_001.jpg , and generate another file 2 \ sa.bin , filled with the list of paths to the files of all the screenshots taken. The last possibility is the transfer of network components and system data, the result is recorded in 4.txt .

    Network protocol

    The Delphi mail downloader is a relatively new addition to the Zebrocy toolkit, it provides a new way to exfiltrate data and receive commands from the operator. Exfiltration is fairly simple, but produces a lot of noise on the network, as previously collected encrypted files are sent via SMTPS, each version of the file three times.

    The subject of the letter is the victim's id , and the file is sent as an application with a keyword corresponding to the contents of the file. Please note that for each file there is an encrypted version sent.

    Screenshots and files for both scans are also sent, but with different keywords.

    Figure 8. Example of a letter with transmitted data

    While exfiltration of data uses the SMTP protocol, the binary file is associated with the email address via POP3 and parsit letters. The body of the letter contains various keywords that are interpreted by Malware as commands.

    After execution, the debugger log and the result of the commands (if any) are sent back to the operator. For example, after the scan command, the operator receives a file containing a list of files with matching extensions along with each such file.

    While this bootloader has backdoor functions, it drops the Delphi bootloader into the system, which is already associated with this group, which we described in a previous article on Zebrocy.


    In the past, we have seen the intersection of Zebrocy and the traditional Sednit malware. We caught Zebrocy on a dump into the XAgent system - the flagship backdoor Sednit, so with a high degree of confidence we attribute the authorship of Zebrocy to this cyber group.

    Nevertheless, the analysis of binary files revealed errors at the language level, as well as a development indicating a different level of authors' qualifications. Both boot loaders use mail protocols for exfiltration of data and identical mechanisms for collecting the same information. However, they create a lot of noise in the network and the system, creating many files and sending them. In the process of analyzing the mail loader on Delphi, it seemed to us that some functions were missing, but the lines still remained in the binary file. This toolkit is used by the Sednit group, but we believe that it is being developed by another team — a less experienced one, compared to the creators of the traditional Sednit components.

    Zebrocy components are an add-on to the Sednit toolkit, and recent events may explain the increased active use of Zebrocy binary files instead of traditional Malvari.

    Compromise indicators

    File names, SHA-1 and detection products the ESET

    1. SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe - 7768fd2812ceff05db8f969a7bed1de5615bfc5a - the Win32 / Sednit.ORQ
    2. the C: \ Users Offline \ the public \ Pictures \ scanPassport.jpg - da70c54a8b9fd236793bb2ab3f8a50e6cd37e2df
    3. the C: \ Users Offline \ the Public \ the Documents \ {exe AcrobatReader, txt} - a225d457c3396e647ffc710cd1edd4c74dc57152 -. MSIL / Sednit.D
    4. C: \ Users \ Public \ Videos \ audev.txt - a659a765536d2099ecbde988d6763028ff92752e - Win32 / Sednit.CH
    5.% TMP% \ Indy0037C632.tmp - 20954fe36388ae8b1174424c8e4996ea2689f747 - Win32 /TrojanDownloader.Sednit.CMR
    6.% TMP% \ Indy01863A21.tmp - e0d8829d2e76e9bb02e3b375981181ae02462c43 - Win32 / TrojanDownloader.Sednit.CMQ


    Also popular now: