US Cyber Command has exposed eight new malware samples that were developed and deployed by Russian hackers in recent attacks.
Six of the eight samples are for the ComRAT malware (used by the Turla hacking group), while the other two are samples for the Zebrocy malware (used by the APT28 hacking group).
Both ComRAT and Zebrocy are malware families that have been used by Russia hacking groups for years, with ComRAT being deployed in attacks for more than a decade, having evolved from the old Agent.BTZ malware.
Both Turla and APT28 have consistently updated both tools to add evasion techniques and keep their malware undetected.
The purpose of this recent US government exposé is to share recent versions of these hacking tools with the general public so system administrators and other defenders can add detection rules and update protective measures.
On Thursday, US Cyber Command’s Cyber National Mission Force (CNMF) uploaded samples of the new ComRAT and Zebrocy versions on its VirusTotal account, while the Cybersecurity and Infrastructure Security Agency (CISA), in cooperation with the Federal Bureau of Investigation’s CyWatch, published two security advisories describing ComRAT and Zebrocy’s inner workings.
Malware strains formally linked to Russia for the first time
As Slovak cyber-security firm ESET pointed out this week, the joint CYBERCOM, CISA, and FBI alerts also mark the first time that ComRAT and Zebrocy have been formally linked to the Russian government’s cyber-espionage units.
Attribution for both ComRAT and Zebrocy has always been done in an informal manner in reports published by privately-owned security vendors, but never in advisories published by government agencies.
The US government has not linked any of these recent samples to any recent security incidents.
In the past, ComRAT has been used to target ministries of foreign affairs and a national parliament (per ESET), while Zebrocy was used to target embassies and ministries of foreign affairs (also, per ESET).
Victims of both malware have been identified in Eastern Europe and Central Asia, US Cyber Command said.
Earlier this week, cyber-security vendor Accenture also published a report on recent Turla operations and its prevalence to use the ComRAT malware.
The joint US government advisory was published on Halloween. US cyber-security agencies have recently made it a habit to expose malware operations on well-known holidays as a way to send greetings to foreign threat actors.