Sponsored By
3 Min Read
Cartoon of a computer with spear-phishing and binary code on the screen
Source: Muhammad Ribkhan via Alamy Stock Photo

A spear-phishing email posing as a memo from the president of an Azerbaijan company hid malware behind images to infiltrate businesses associated with the firm.

According to research from Fortinet, the emails cited the conflict between Azerbaijan and Armenia and contained a zip file. The photos in that file contained both genuine and malicious content.

The victims were management teams of businesses associated with the Azerbaijanian company, according to Fortinet. Fortinet senior security engineer Fred Gutierrez, who declined to name the spoofed firm, says other businesses hit with the campaign included subsidiaries of the company as well as its business partners.

The email claims to contain information about a border clash between soldiers from Azerbaijan and Armenia, and included an obfuscated link via HTML smuggling, which displays four images, one of which is actually a LNK file that downloads the malware.

"Opening the email is enough to begin the infection chain," Gutierrez says. "It will automatically download a zip file — that contained the images — to the user's computer. HTML smuggling requires the user to perform an action to actually become fully infected. In this case, the user would have to manually type in the password to open the zip file and then launch the corresponding file inside."

The password is included in the text of the email, he adds.

HTML smuggling occurs when JavaScript automatically downloads a zip file to the victim's computer once the email is opened; at that point, the user is notified that the zip file has been downloaded. There's no option to decline or accept the download.

Once the user opens the downloaded zip file and enters a password that opens the fake image, the installer is downloaded.

What Is Unique About the Malware?

This malware is programmed in the increasingly popular Rust language.

The malware creates a temporary file named "24rp.xml" that sets a scheduled task to steal the information outside of regular office hours. Researchers claim the malware can sleep for random amounts of time when performing its tasks. This technique assumes that the intended targets leave their computers on overnight so the malware can execute outside regular office hours, when it is less likely to be noticed.

What Does It Steal?

The malware culls basic computer information and sends it to a command-and-control (C2) server. Gutierrez says the malware only looks for basic information, including the privileges and permissions of the victims, system configuration, applications running, network configuration, and a list of user accounts.

"The nature of the information suggests this is either a red-teaming exercise or, more likely, the next step in the reconnaissance phase of a targeted attack," he says.

To defend against this type of attack, Fortinet recommends learning the signs of phishing, whether it comes in the form of an email or a webpage such as in a watering hole attack. Gutierrez also recommends users avoid opening unknown files, using anti-malware programs and services, as well as reporting any strange files to their IT or network security departments.

For the obfuscated link, the mitigation is not so straightforward. According to an advice page from MITRE, this type of attack technique cannot be easily mitigated with preventive controls because it is based on the abuse of system features.

About the Author(s)

Dan Raywood, Senior Editor, Dark Reading

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights