Friday, January 15, 19:30
Home security Russian hackers target organizations with fake NATO training files!

Russian hackers target organizations with fake NATO training files!

The Russian hackers of the group known by the names APT28, Fancy Bear, Sofacy, Sednit and STRONTIUM, are behind a series of attacks targeting organizations. Russian hackers are delivering a hard-to-detect piece of Zebrocy Delphi malware, which was presented to potential victims as NATO training material. Researchers examining payload files have uncovered these fake and misleading JPG files that display NATO images when opened on a computer.

Last August, the Qi'anxin Red Raindrops team reported that they discovered a campaign organized by its Russian hackers APT28, which has delivered Zebrocy malware in the form of NATO training material.

Russian hackers vs NATO

It is worth noting that the company threat intelligence QuoIntelligence had notified organizations of this campaign from August 8, before information about it was made public. Her researchers QuoIntelligence told BleepingComputer that the campaign targets NATO member states, as well as Azerbaijan. The researchers said that despite the fact that Azerbaijan is not a member of NATO, it works closely with North Atlantic organizations and participates in NATO exercises. In addition, the same campaign is likely to target other NATO members or countries cooperating with NATO exercises. In addition, after QuoIntelligence researchers discovered the campaign, they reported its findings to the French authorities.

The malicious one file distributed by APT28 is entitled, “Lesson 5 - October 16, 2020.zipx”. To an unsuspecting user, this appears to be a ZIP file containing course materials. According to BleepingComputer, the ZIP file behaves almost like a legitimate image file. According to QuoIntelligence researchers, this is because the file contains a legitimate JPG image with a ZIP file attached to it. The metadata and file properties also display a type MIME “image / jpeg” with references to "JPEG image data".

NATO archives

The researchers explain that this technique works because JPEG files are parsed from the beginning of the file and some applications Zip parsers Zip files from the bottom of the file without looking at the signature on the front.

At the time of the Qi'anxin Red Raindrops and QuoIntelligence analysis, the malware sample had very low 3/61 detection rate in VirusTotal. Even today, less than half of the known mechanisms antivirus Detect VirusTotal Infection.

The technique is also used by hackers to avoid AVs or other filtering systems. When exporting, ZIP contains a corrupt Excel file (.xls) and another file of the same name “Lesson 5 - October 16, 2020” but an EXE extension. In systems Windows, the file “Lesson 5 - 16 October 2020.exe” displays a PDF icon.


The Zebrocy malware used by this campaign has many features, such as: system recognition, file creation / modification, screenshots taken on the infected device, arbitrary execution of commands and creation of programmed Windows tasks. Malware also "throws" many files on an infected system, which makes it "quite noticeable", as its activities cause alarms on top products security.

In this case, the Zebrocy payload (available in "Lesson 5 - 16 October 2020.exe") works by reproducing itself on "% AppData% \ Roaming \ Service \ 12345678 \ sqlservice.exe" and further adds a random 160 byte blob to the newly created file. Additionally, the malware created a scheduled Windows task, which runs every minute, reporting stolen data in Command & Control server (C2).

QuoIntelligence suspects that this malware is targeting Azerbaijani organizations, based on a previous ReconHellcat campaign analyzed by the company.

Three similarities between these samples lead the researchers to conclude that this attack targeted a specific organization, at least in Azerbaijan:

  • The upload of both the compressed Zebrocy malware and the Organization for Security and Cooperation in Europe (OSCE) lure used to deliver it Blackwater backdoor, took place the same day, August 5th.
  • Both samples were uploaded by the same user in Azerbaijan and most likely by the same organization.
  • Both attacks occurred at the same time.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


Android: How to see which apps have access to your site

It's no secret that smartphone apps have access to many permissions - if you let them. It is important to make sure ...

Canon lets you take pictures from space

Instead of releasing new cameras for CES 2021, Canon is doing something different: It lets you take pictures from space ....

Wikipedia vs Big tech: Who fights misinformation?

As Election Day turned into US Election Week, Facebook, Twitter and YouTube were trying to prevent ...

Tesla: It is called to recall cars due to problematic screens

The touch screen in some Tesla cars seems to have a problem, which could ...

Ransomware is responsible for half of all data breaches in hospitals

Almost half of the data breaches committed in hospitals and the wider healthcare sector are due to ransomware attacks, ...

Astronomers have just found the oldest oversized black hole

A quasar was discovered in a dark corner of space - over 13,03 billion light-years away - and contains a ...

What are the best and most affordable 5G phones for 2021

The market will soon be flooded with mid-range 5G devices. Everything that happens will be really exciting: you will be able to ...

Verified Twitter accounts in a cryptocurrency scam with the name of Elon Musk violated!

Lately, hackers have been violating verified Twitter accounts in a cryptocurrency giveaway scam, in which the name of the CEO is used ...

Classiscam: Fraudsters "fake" brands and deceive users of European markets!

Dozens of criminal gangs publish fake ads in popular online markets, to attract unsuspecting users to "fraudulent" commercial sites or phishing ...

iOS 14.4: Displays a notification for repairs with non-genuine cameras

Starting with the iPhone 11, Apple has added a notification to iOS that tells the user when the device has a ...