Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Russian Hackers Hide Zebrocy Malware In Virtual Disk Images

Russian Hackers Hide Zebrocy Malware In Virtual Disk Images

Russian-speaking hackers behind Zebrocy malware have changed their technique for delivering malware to high-profile victims and started to pack the threats in Virtual Hard Drives (VHD) to avoid detection.

The technique was spotted in recent spear-phishing campaigns from threat group APT28 (Fancy Bear, Sofacy, Strontium, Sednit) to infect target systems with a variant of the Zebrocy toolset.

New Zebrocy variants enjoy low detection

Zebrocy comes in many programming languages (AutoIT, C++, C#, Delphi, Go, VB.NET). For the recent campaigns, the threat actor chose the Golang-based version instead of the more common Delphi one.

Windows 10 supports VHD files natively and can mount them as external drives to allow users to view the files within. Last year, security researchers discovered [12] that antivirus engines do not check VHD contents until the disk images are mounted.

Researchers at Intezer discovered at the end of November a VHD uploaded to the Virus Total scanning platform from Azerbaijan. Inside the image were a PDF file and an executable posing as a Microsoft Word document, which Zebrocy malware.

The PDF is a presentation about the Sinopharm International Corporation, a Chinese pharmaceutical company that is currently in phase three trials for a COVID-19 vaccine.

Also Read: Trusted Data Sharing Framework IMDA Announced In Singapore

The Zebrocy variant in the VHD file is a new one that enjoyed low detection on Virus Total. On November 30, only nine engines out of 70 detected the malware.

However, Intezer’s analysis showed that the new Zebrocy is genetically similar to a Delphi variant used a year ago in a campaign against targets in Azerbaijan.

VHD files used in other campaigns

Based on clues in the malicious VHD, the researchers discovered that the threat actor had conducted similar campaigns since at least October.

Other disc images used as phishing lures had been uploaded to Virus Total, one of them on November 12 from Kazakhstan and another with a creation timestamp of October 21.

Both of the last two VHD images included a Zebrocy sample impersonating a Microsoft Word document and a PDF file, and they share the same disk ID.

The oldest one, though, delivered a Delphi-based variant of the malware and used a PDF bait written in Russian.

Also Read: The Importance Of Knowing Personal Data Protection Regulations

Zebrocy has been used for years and is a set of downloaders, droppers, and backdoors. The Golang-based variant was discovered last year and has been used on and off by the hackers.

The use of VHD disk images appears to be a new page in the malware delivery book of the threat group behind Zebrocy. The technique was seen before in phishing operations from the Cobalt group to distribute the CobInt loader in late December 2019.

In its report published today, Intezer provides indicators of compromise for the command and control server, the VHD files, and the Zebrocy malware samples used in the recent phishing campaigns.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us