March 28, 2023

Researchers has spotted a malicious campaign against entities in Armenia that used a backdoor OxtaRAT

As per the advisory, the malicious campaign was executed amid rising tensions between Azerbaijan and Armenia over the Lachin corridor in late 2022.

The version of OxtaRAT used in the campaign is a polyglot file, which combines compiled AutoIT script and an image. The tool capabilities include searching for and exfiltrating files from the infected machine, recording the video from the web camera and desktop, remotely controlling the compromised machine with TightVNC, installing a web shell, performing port scanning.

Advertisements

The samples are related to Azerbaijani government interests; they either targeted Azerbaijani political or human rights activists. This new campaign represents the first instance of these attackers using OxtaRAT against Armenian individuals and corporations.

A significant overlap in major TTPs is been identified

  • The use of AutoIT malware.
  • The use of files with SCR extensions bearing document-related icons (PDF, Word).
  • A focus on surveillance technology (keylogging, screen capture, data exfiltration).
  • Similar consistent targeting.

It presents changes in the infection chain, improved operational security, and new functionality to improve the ways to steal the victim’s data. It indicates that the underlying threat actors have been maintaining the development of Auto-IT based malware for the last seven years and are using it in surveillance campaigns whose targets are consistent with Azerbaijani interests.

This research was documented by researchers from Checkpoint

Advertisements

Indicators of Compromise

  • 6ac414fad3d61ad5b23c2bcdd8ee797f
  • ddac9a1189e4b9528d411e07d0e98895
  • 0360185bc6371ae42ca0dffe0a21455d
  • ddac9a1189e4b9528d411e07d0e98895
  • 1c94f1c6241cb598da5da7150a0dc541
  • df9673032789847a367df9923bbd44d2
  • a1a39e458977aa512b7ff2ba1995b18d
  • cf225029cade918d92b4b4e2b789b7a5
  • 86b5245112436e8a5eabf92fab01ffba
  • edupoliceam[.]info
  • filesindrive[.]info
  • mediacloud[.]space
  • avvpassport[.]info
  • filecloudservices[.]xyz
  • 38.242.197[.]156
Tags:

Leave a Reply

You may have missed

Apache Fineract Vulnerabilities

Apache Fineract Vulnerabilities

March 28, 2023
IceID Malware Shifting Focus to Ransomwares

IceID Malware Shifting Focus to Ransomwares

March 28, 2023
Sun Pharma suffers a Security Incident

Sun Pharma suffers a Security Incident

March 28, 2023
Twitter Source Code Leak on Git

Twitter Source Code Leak on Git

March 27, 2023
Okta Credentials Exposed via Post Exploitation Attack

Okta Credentials Exposed via Post Exploitation Attack

March 27, 2023
Dark Power Ransomware Dissection

Dark Power Ransomware Dissection

March 26, 2023
%d bloggers like this: