Russian hackers behind Zebrocy malware have changed their technique of delivering malware to high-profile victims and started installing malware on Virtual Hard Drives (VHD) to prevent detection.
The technique was detected in some recent spear-phishing campaigns by the APT28 team (Fancy Bear, Sofacy, Strontium, Sednit) which was trying to infect systems with a variation of the Zebrocy tool.
New variants of Zebrocy are not easily detected
Zebrocy is available in many programming languages (AutoIT, C ++, C #, Delphi, Go, VB.NET). For her recent campaigns, the team chose the Golang based version instead of the more common Delphi version.
Windows 10 supports native VHD files and can be attached as external drives to allow users view files internally. Last year, researchers security discovered that the antivirus do not control the contents of the VHD until the disc images are loaded.
Intezer researchers discovered in late November a VHD uploaded to the Virus Total scanning platform from Azerbaijan. Inside the image was a file PDF and executable who represented the document of Microsoft Word, which was Zebrocy malware.
The PDF is a presentation about Sinopharm International Corporation, a Chinese pharmaceutical company currently in the testing phase for a vaccine for COVID-19.
The Zebrocy variant in the VHD file is new and not easily detected by Virus Total. However, Intezer analysis showed that the new Zebrocy is genetically similar to a Delphi variant used a year ago in a campaign against some objectives in Azerbaijan.
Source of information: bleepingcomputer.com