Security News > 2020 > December > Russian Cyberspies Use COVID-19 Vaccine Lures to Deliver Malware
The Russia-linked cyberspy group known as Zebrocy has adopted COVID-19 vaccine-related lures in a recently observed phishing campaign, threat detection and response company Intezer reported on Wednesday.
Initially detailed in 2018, Zebrocy is believed to be associated with the infamous Russian state-sponsored hacking group Sofacy.
In November, Intezer's security researchers observed Zebrocy phishing emails carrying lure documents about Chinese pharmaceutical company Sinopharm International Corporation, which has reached phase three clinical trials for a COVID-19 vaccine.
Initially, the adversary delivered the Zebrocy malware's Delphi variant to the victims, but in mid-November the attackers switched to using the Go version instead. First used in 2015, the Zebrocy malware functions as a downloader, but is also capable of collecting and exfiltrating information from the infected systems before fetching and executing a next stage payload. The Delphi version of the malware was the first to be used in attacks, with AutoIT, C++, C#, Delphi, Go, and VB.NET samples discovered afterwards.
Screenshots are uploaded to the C&C, which may respond with the next stage payload. During their investigation, Intezer's security researchers discovered another Go version of Zebrocy, used in previous attacks, as well as a second VHD file that was uploaded to VirusTotal in October, and which was dropping the Delphi version of the malware.