Russian threat actors use new ComRAT and Zebrocy malware in recent attacks

Russian threat actors use new ComRAT and Zebrocy malware in recent attacks

U.S. government cybersecurity experts warned that “sophisticated threat actors” have been using new Russian malware variants, ComRAT and Zebrocy, in recent cyberattacks.

According to new malware analysis reports, Russian advanced persistent threat (APT) actors from Turla have developed new malware variant ComRAT.

In addition, Russian-linked APT28 hacking group has been behind attacks using Zebrocy malware.

ComRAT malware

Cybersecurity experts from the Cybersecurity and Infrastructure Security Agency (CISA), the Cyber National Mission Force (CNMF) and the Federal Bureau of Investigation (FBI) published the new malware report on ComRAT malware variant and threat on October 29, 2020.

“FBI has high-confidence that Russian-sponsored APT actor Turla, which is an espionage group active for at least a decade, is using ComRAT malware to exploit victim networks. The group is well known for its custom tools and targeted operations,” CISA, CNMF and FBI stated in the report.

According to CISA, CNMF and FBI, the actors use a PowerShell script to decode and load a 64-bit dynamic-link library (DLL) identified as ComRAT version 4.

“This new variant of ComRAT contains embedded 32-bit and 64-bit DLLs used as communication modules. The communication module (32-bit or 64-bit DLL) is injected into the victim system’s default browser,” the experts explained.

Organizations should check out the malware report for more details and indicators of compromise (IoC) of ComRAT.

Zebrocy malware

In addition to ComRAT, the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force (CNMF) also published a new report on Zebrocy malware variant.

CISA and CNMF said a “sophisticated cyber actor” has been using Zebrocy in cyber attacks.

“Two Windows executables identified as a new variant of the Zebrocy backdoor were submitted for analysis. The file is designed to allow a remote operator to perform various functions on the compromised system,” CISA and CNMF explained in the report.

The cyber experts provided IoC details for each of the Windows malware samples in the report.

Although a specific group was not explicitly called out in the malware report, some security researchers reported that the Russian-linked APT28 group used Zebrocy in recent attacks against NATO members.

APT28 (also known as Fancy Bear, Pawn Storm, Sofacy and Strontium) has also been linked to German government attacks, IoT attacks, as well as hotels in Europe and the Middle East, just to name a few over past several years.

Related Articles