US Cyber Command has exposed eight new malware samples that were developed and deployed by Russian hackers in recent attacks.
Six of the eight samples are for the ComRAT[1] malware (used by the Turla[2] hacking group), while the other two are samples for the Zebrocy[3] malware (used by the APT28[4] hacking group).
Both ComRAT and Zebrocy are malware families that have been used by Russia hacking groups for years, with ComRAT being deployed in attacks for more than a decade, having evolved from the old Agent.BTZ malware[5].
Both Turla and APT28 have consistently updated both tools to add evasion techniques and keep their malware undetected.
The purpose of this recent US government exposé is to share recent versions of these hacking tools with the general public so system administrators and other defenders can add detection rules and update protective measures.
On Thursday, US Cyber Command's Cyber National Mission Force (CNMF) uploaded samples of the new ComRAT and Zebrocy versions on its VirusTotal account[6], while the Cybersecurity and Infrastructure Security Agency (CISA), in cooperation with the Federal Bureau of Investigation's CyWatch, published two security advisories describing ComRAT[7] and Zebrocy[8]'s inner workings.
As Slovak cyber-security firm ESET pointed out this week[9], the joint CYBERCOM, CISA, and FBI alerts also mark the first time that ComRAT and Zebrocy have been formally linked to the Russian government's cyber-espionage units.
Attribution for both ComRAT and Zebrocy has always been done in an informal manner in reports published by privately-owned security vendors, but never in advisories published by government agencies.
The US government has not linked any of these recent samples to any recent security incidents.
In the past, ComRAT has been used to