Russian hackers rat government agencies with false NATO training course

The notorious Russian hacker group Fancy Bear, also known as APT28 and Strongium, is targeting the government agencies of NATO member states.

The group, which was allegedly behind the retaliation at the U.S. National Democratic Convention in 2016, is now using sophisticated maltware called Zeborcy Delphy to target government bodies and steal data.

For the first time discovered by QuoIntelligence in August 2020, cyber security researchers at the company discovered that malarware was disguised in the form of false NATO training materials sent to targeted computers. At first glance, it would seem that the training materials were legitimate, but a close look revealed the malicious purpose.

The course material distributed by APT28 contained “Course 5 October 16, 2020.zipx”. The file looks like an archived zip file containing NATO materials. When researchers renamed the zip range to .jpg, they found that it behaved exactly like an image file, showing the logo of the Supreme Staff of the Allied Powers of Europe (SHAPE), NATO Allied Command Operations (ACO) in Belgium. Anyway, it wasn't what it looked like.

When researchers dug deep, they found “the zpddar uniting”. “This technique works because files JPEG is analysed from the start of the file and several Zip applications analyze Zip files from the bottom of the file (as the index is set there) without looking at the signing at the front-side”, researchers explained.

Through this technique, Fancy Bear hackers wanted to avoid antivirus detection as the computer program would pass testing it by mistaking it for an image file (JPG / JPEG). However, to decompress the file, you must use Win RAR. If the victim uses WinZip or any other decompression program, it would indicate a error message claiming the file is corrupt.

Once decompressed, two files are shown “Course 5 October 2020.exe” and “Course 5 October 16, 2020. xls” The ecstasy file, however, cannot be opened by Microsoft Excel after showing corrupt. Researchers found that the file contained information about military personnel for a “Mission of the African Union for Somalia”.

However, the goal was to pull the victim into opening the other file that comes with an icon The PDF contained malware Zeborcy Delphy. If the file extensions are not shown, the victim would click on the PDF in an unknown way but it's an executable file (.exe) by misusing it for PDF with the course material.

After being executed, the file removes the malware of Zeborcy and creates a task designed to send stolen data to a remote server. He also communicates with a command and control (C2) in France. According to BleepingComputer, the Zeborcy malware can be used for multiple purposes. It can create and modify files, take images from the screen and execute command.

QuoIntelligence found Azerbaijan was targeted by malware. Although the country is not part of NATO, it co-operates with the alliance and participates in training exercises. Researchers believe that many other NATO countries may already have been targeted.