Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.
Images purporting to be of the Armenia and Azerbaijan conflict were malware downloaders in disguise.
Dan Raywood, Senior Editor, Dark Reading
September 29, 2023
3 Min Read
Source: Muhammad Ribkhan via Alamy Stock Photo
A spear-phishing email posing as a memo from the president of an Azerbaijan company hid malware behind images to infiltrate businesses associated with the firm.
According to research from Fortinet, the emails cited the conflict between Azerbaijan and Armenia and contained a zip file. The photos in that file contained both genuine and malicious content.
The victims were management teams of businesses associated with the Azerbaijanian company, according to Fortinet. Fortinet senior security engineer Fred Gutierrez, who declined to name the spoofed firm, says other businesses hit with the campaign included subsidiaries of the company as well as its business partners.
The email claims to contain information about a border clash between soldiers from Azerbaijan and Armenia, and included an obfuscated link via HTML smuggling, which displays four images, one of which is actually a LNK file that downloads the malware.
"Opening the email is enough to begin the infection chain," Gutierrez says. "It will automatically download a zip file — that contained the images — to the user's computer. HTML smuggling requires the user to perform an action to actually become fully infected. In this case, the user would have to manually type in the password to open the zip file and then launch the corresponding file inside."
The password is included in the text of the email, he adds.
Once the user opens the downloaded zip file and enters a password that opens the fake image, the installer is downloaded.
What Is Unique About the Malware?
This malware is programmed in the increasingly popular Rust language.
The malware creates a temporary file named "24rp.xml" that sets a scheduled task to steal the information outside of regular office hours. Researchers claim the malware can sleep for random amounts of time when performing its tasks. This technique assumes that the intended targets leave their computers on overnight so the malware can execute outside regular office hours, when it is less likely to be noticed.
What Does It Steal?
The malware culls basic computer information and sends it to a command-and-control (C2) server. Gutierrez says the malware only looks for basic information, including the privileges and permissions of the victims, system configuration, applications running, network configuration, and a list of user accounts.
"The nature of the information suggests this is either a red-teaming exercise or, more likely, the next step in the reconnaissance phase of a targeted attack," he says.
To defend against this type of attack, Fortinet recommends learning the signs of phishing, whether it comes in the form of an email or a webpage such as in a watering hole attack. Gutierrez also recommends users avoid opening unknown files, using anti-malware programs and services, as well as reporting any strange files to their IT or network security departments.
For the obfuscated link, the mitigation is not so straightforward. According to an advice page from MITRE, this type of attack technique cannot be easily mitigated with preventive controls because it is based on the abuse of system features.
Read more about:DR Global Middle East & Africa
About the Author(s)
With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.
You May Also Like