APT28 Hiding Malware in Virtual Disk Images

Recently, this publication reported on how APT28, the infamous Russian nation-state threat actor, changed tactics to target the Norwegian parliament and recent US elections. Rather than the favored method of using spear phishing to initially compromise victims and steal credentials, the group employed brute-force attacks to gain access to victims’ infrastructure. New research by security firm Intezer shows that the group has not completely abandoned its spear-phishing tactics. Why would they? It is still an incredibly effective method of credential-stealing when done right or dropping malware onto targeted machines.

In November, Intezer researchers discovered an APT28 campaign utilizing phishing lures designed to spread the Zebrocy malware. Several characteristics set this campaign apart from others seen in the past. Firstly, the malware was written in Go, or Golang, and not the more traditional version written in Delphi. Secondly, the malware was delivered via Virtual Hard Disk (VHD) files. Windows 10 allows users to run VHD files natively now and maybe partly behind the decision to weaponize the file format to spread Zebrocy. VHD files are popularly used to run multiple operating systems on a single machine, allowing developers to test applications on multiple platforms without having to partition hard drives which can be a hassle.

This is not the first time researchers have seen the Zebrocy malware written in a different programming language. Since been first seen in the wild in mid-2015 the backdoor trojan has been written in Delphi, AutoIT, C++, C#, and now Go. The Go variant was first seen being distributed in 2018 so by no means a new development but when combined with the abuse of the VHD file format, it is an evolution in how the malware is spread. No matter the programming language used the malware is used primarily in campaigns targeting foreign governments and businesses that are involved in foreign affairs.

Victims have been found across the globe including Afghanistan, Azerbaijan, Bosnia and Herzegovina, China, Egypt, Georgia, Iran, Japan, Kazakhstan, Korea, Kyrgyzstan, Mongolia, Russia, Saudi Arabia, Serbia, Switzerland, Tajikistan, Turkey, Turkmenistan, Ukraine, Uruguay, and Zimbabwe. apt28 using virtual disk images for malware

As in the past, the malware has been delivered by a spear-phishing campaign loaded with a malicious Microsoft Office document. In the campaign discovered by Intezer, the lure used is related to the COVID-19 vaccine, and rather than a malicious Office document it is presented as a PDF presentation from the Sinopharm International Corporation. The Chinese pharmaceutical company is currently in phase three trials for a COVID-19 vaccine, making it a good subject matter for phishing lures. Further, the group is well-known to use current events when creating phishing lures. The email does not have the PDF attached directly but is rather bundled in a VHD file, the VHD contains the PDF and the malware as an executable which is further pretending to be a Windows Word document.

Malware Analysis

When researchers took a closer look at the second file containing the malware it was then discovered that it contained the malware. The attackers used the fact that Windows by default hides file extensions, this makes it easier to trick users into believing that the Word document is legitimate. This change in tactics resulted in very low detection rates as illustrated on VirusTotal.

By the end of November, only nine malware engines out of a possible 70 detected the file, 30-22-243.vhd, as malware. The code, while written in Go, is genetically similar to a version written in Delphi seen in targeted attacks against organizations in Azerbaijan. Rather than the malware delivering the Delphi downloader, it now delivers the Go downloader, researchers further noted,

“The downloader is similar to the original downloader reported by Palo Alto Networks Unit 42. The sample has been obfuscated with gobfuscator, the same tool used by the Blackrota malware. The sample doesn’t collect the same amount of information about the infected machine (i.e., running processes, local disk information, and system information from “systeminfo”) as in previous campaigns. Instead, it collects the hostname and the path to the user’s TEMP folder. This information is used to generate an identifier by hashing the values with MD5. The screenshot functionality is not performed by an imported third-party library. Rather, the malware author has included the screenshot code from the library directly in the main codebase. The malware has some anti-debugging checks. In Figure 6, it can be seen how the malware calls the Windows API function IsDebuggerPresent. If true is returned, it enters an infinite sleeping loop.”

This is also not the first time the Go version has been seen in the wild. Researchers noted seeing the above-mentioned version in a sample uploaded to VirusTotal from Kazakhstan on November 12. In this instance, the file was named No.243.CB3-EVACUATION LETTER.vhd. While the file name was different many of the same tactics were used, including the abuse of the VHD file format. In concluding, researchers noted,

“Zebrocy is a malware toolset used by the Sofacy threat group. While the group keeps changing obfuscation and delivery techniques, code reuse allowed Intezer to detect and correctly classify this malware. With these recent phishing lures, it’s clear that COVID-19 themed attacks are still a threat and we might see more as vaccines become available to the general public…It’s important that companies use defense-in-depth strategies to protect against threats. Employers should also ensure employees are trained on detecting and reacting to phishing attempts. Phishing attempts do not always originate from an external email address; they can also come from a compromised account within the enterprise.”

Low VHD Detection Rates

This is not the first instance where attackers have abused the VHD file format to bypass detection. In September 2019, it was reported that Windows and several other anti-virus vendors were failing to detect malware stored in a VHD file. In many circumstances, the scanning of files in a VHD file is the only day if the file is mounted like one would a hard drive. If the file is not mounted, and files inside are opened in more than a few cases no virus scan would have taken place. Part of the problem is levels of trust granted to specific file formats in Windows. If data is fetched from an online location then no matter the format they are less trusted and rightfully so. For untrusted files that marked and only granted limited access to resources.

VHD files differ as they are not subject to the same protections in Windows. Antivirus malware engines operate in a similar way meaning that malicious files stored within a VHD file, often referred to as an image, would not be scanned for potential malware. But is what just Windows and malware engines that showed this blind spot. In the same month, it was discovered that Chrome and Gmail also failed to detect malware in VHD files. Gmail does exclude a list of file extensions that are blocked for security reasons.

However, if a VHD file is sent it bypassed these security checks. Gmail’s blacklist bans executables even if compressed, however, if a VHD file is not mounted like in the case of Windows no files in the VHD file can be scanned. For Chrome and Gmail, the problem is more acute as both applications have no way to mount the file in the first place. As long as the VHD extension is seen as not being a risk it won’t be added to the blacklist. At the time of writing VHD and VHDx files had not been added to the blacklist.

In cases regarding Windows, malware engines, and Google applications, academics showed that well-known and equally well-detected malware could bypass detection using this method. Given that APT28 now has a history of exploiting VHD files it may be time to develop improved scanning techniques or adding the file extension to a blacklist in the case of Gmail and Chrome. Academic further proved that this was not only possible to do but was dead easy, meaning that in the future it won’t be highly skilled nation-state actors using the technique but financially motivated hackers of varying skill levels.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal