A recent spear-phishing campaign targeting businesses associated with an Azerbaijani company has been uncovered by Fortinet researchers. This campaign utilized a malicious email posing as a memo from the president of the company and leveraged the ongoing conflict between Azerbaijan and Armenia to deceive its victims.
According to the research conducted by Fortinet, the spear-phishing emails contained a zip file that included both genuine and malicious content. The victims of this campaign were the management teams of businesses affiliated with the Azerbaijani company, including its subsidiaries and business partners.
The email claimed to provide information about a border clash between soldiers from Azerbaijan and Armenia. It also included an obfuscated link using HTML smuggling techniques. When the email was opened, the link displayed four images, one of which was actually a LNK file that downloaded the malware onto the victim’s computer.
Fred Gutierrez, a senior security engineer at Fortinet, explained that simply opening the email was enough to initiate the infection process. The zip file, which contained the images, was automatically downloaded to the user’s computer. However, to become fully infected, the user had to manually enter the password to open the zip file and launch the corresponding file inside.
What makes this malware unique is that it is programmed in the Rust language, which is increasingly popular among developers. The malware creates a temporary file named “24rp.xml” that sets a scheduled task to steal information outside of regular office hours. It has the ability to sleep for random periods of time while performing its tasks, assuming that the targeted individuals leave their computers on overnight. This allows the malware to execute during non-working hours when it is less likely to be detected.
The stolen information includes basic computer details such as privileges and permissions, system configuration, running applications, network configuration, and a list of user accounts. Gutierrez believes that the nature of the stolen information suggests either a red-teaming exercise or the reconnaissance phase of a targeted attack.
To defend against this type of attack, Fortinet recommends educating users about the signs of phishing, whether it comes in the form of an email or a webpage (such as a watering hole attack). Users should also be cautious when opening unknown files, utilize anti-malware programs and services, and report any suspicious files to their IT or network security departments.
Mitigating the risks associated with obfuscated links is more challenging. According to MITRE, this type of attack technique cannot be easily prevented with traditional controls due to its reliance on the abuse of system features.
Overall, this spear-phishing campaign highlights the ongoing challenges businesses face in protecting themselves against targeted attacks. As attackers continue to evolve their techniques, organizations must remain vigilant and implement robust security measures to mitigate the risks associated with such attacks.