The infamous Russian hacker group Fancy Bear also known as APT28 and Strontium are targeting government agencies of NATO member countries.
The group which, is suspected of being behind hackers at the 2016 National Democratic Convention in the US, is now using sophisticated malware called Zebrocy Delphi to target government bodies and steal data.
First discovered by QuoIntelligence in August 2020, cyber security researchers at the company discovered that the malware was disguised in the form of fake NATO training materials being sent to the target computers. At first glance, it would seem that the training materials were legitimate, but a closer look revealed the malicious intent.
Course material distributed by APT28 contained “Course 5 – 16 October 2020.zipx”. The file looks like an archived zip file containing NATO material. When researchers renamed the zip extension to .jpg, they discovered that it behaved exactly like an image file, showing the logo of the Supreme Headquarters of the Allied Powers of Europe (SHAPE), NATO Allied Command Operations (ACO) in Belgium. However, it was not what it seemed.
When researchers dug deep, they found the “merged zip file”. “This technique works because JPEG files are analyzed from the beginning of the file and some Zip applications analyze Zip files from the end of the file (since the index is located there) without looking at the signature on the front,” the researchers explained.
Through this technique, Fancy Bear hackers wanted to avoid antivirus detection as the software would pass by testing it by mistaking it for an image file (JPG / JPEG). However, to decompress the file, you must use WinRAR. If the victim uses WinZip or some other decompression program, it would show an error message claiming that the file is corrupt.
Once decompressed, two files are displayed “Course 5 – 16 October 2020.exe” and “Course 5 – 16 October 2020.xls”. The excel file, however, cannot be opened by Microsoft Excel as it indicates corrupt. The researchers found that the file contained information about military personnel for an “African Union Mission to Somalia”.
However, the intent was to lure the victim into opening the next file which comes with a PDF icon and contained Zebrocy Delphi malware. If the file extensions are not shown, the victim would unknowingly click on the PDF but it is an executable file (.exe) mistaking it for PDF with the course material.
Once executed, the file removes the Zebrocy malware and creates a scheduled task to send the stolen data to a remote server. He also communicates with a command and control (C2) in France. According to BleepingComputer, Zebrocy malware can be used for multiple purposes. It can create and modify files, take screenshots, and execute commands.
QuoIntelligence revealed that Azerbaijan was targeted with malware. Although the country is not part of NATO, it cooperates with the alliance and participates in training exercises. Researchers believe many other NATO countries may have already been targeted.