Attacks on Azerbaijan Businesses Drop Malware via Fake Image Files

A spear-phishing email posing as a memo from the president of an Azerbaijan company hid malware behind images to infiltrate businesses associated with the firm.

According to research from Fortinet, the emails cited the conflict between Azerbaijan and Armenia and contained a zip file. The photos in that file contained both genuine and malicious content.

The victims were management teams of businesses associated with the Azerbaijanian company, according to Fortinet. Fortinet senior security engineer Fred Gutierrez, who declined to name the spoofed firm, says other businesses hit with the campaign included subsidiaries of the company as well as its business partners.

The email claims to contain information about a border clash between soldiers from Azerbaijan and Armenia, and included an obfuscated link via HTML smuggling, which displays four images, one of which is actually a LNK file that downloads the malware.

"Opening the email is enough to begin the infection chain," Gutierrez says. "It will automatically download a zip file — that contained the images — to the user's computer. HTML smuggling requires the user to perform an action to actually become fully infected. In this case, the user would have to manually type in the password to open the zip file and then launch the corresponding file inside."

The password is included in the text of the email, he adds.

HTML smuggling occurs when JavaScript automatically downloads a zip file to the victim's computer once the email is opened; at that point, the user is notified that the zip file has been downloaded. There's no option to decline or accept the download.

Once the user opens the downloaded zip file and enters a password that opens the fake image, the installer is downloaded.

What Is Unique About the Malware?

This malware is programmed in the increasingly popular Rust language.

The malware creates a temporary file named "24rp.xml" that sets a scheduled task to steal the information outside of regular office hours. Researchers claim the malware can sleep for random amounts of time when performing its tasks. This technique assumes that the intended targets leave their computers on overnight so the malware can execute outside regular office hours, when it is less likely to be noticed.

What Does It Steal?

The malware culls basic computer information and sends it to a command-and-control (C2) server. Gutierrez says the malware only looks for basic information, including the privileges and permissions of the victims, system configuration, applications running, network configuration, and a list of user accounts.

"The nature of the information suggests this is either a red-teaming exercise or, more likely, the next step in the reconnaissance phase of a targeted attack," he says.

To defend against this type of attack, Fortinet recommends learning the signs of phishing, whether it comes in the form of an email or a webpage such as in a watering hole attack. Gutierrez also recommends users avoid opening unknown files, using anti-malware programs and services, as well as reporting any strange files to their IT or network security departments.

For the obfuscated link, the mitigation is not so straightforward. According to an advice page from MITRE, this type of attack technique cannot be easily mitigated with preventive controls because it is based on the abuse of system features.