A malicious campaign carried out against an Armenian entity in November 2022 was discovered by a security researcher. Checkpoint Research (CPR). According to Thursday’s advisory, the campaign relied on a backdoor tracked by a security firm as his OxtaRAT.
“The latest version of OxtaRAT is a multilingual file that combines compiled AutoIT scripts and images,” reads a technical article.
“The tool’s capabilities include finding and extracting files from infected machines, recording video from webcams and desktops, remotely controlling compromised machines with TightVNC, installing web shells, and performing port scans. will be
CPR said the malicious campaign was carried out in late 2022 amid heightened tensions between Azerbaijan and Armenia over the Rachin Corridor.
“All samples of this and previous campaigns are related to the interests of the Azerbaijani government. “Refers to tensions between Azerbaijan and Armenia over Karabakh,” CPR wrote.
However, the company clarified that the new campaign is the first example of these attackers using OxtaRAT against Armenian individuals and businesses. Furthermore, CPR added that the November 2022 campaign was different from previous activities carried out by the attackers.
“[It] It offers new features to change the infection chain, improve operational security, and improve how it steals victim data. “
In the advisory, CPR provides defenders with indicators of compromise (IOCs) related to the recent OxtaRAT attack. The company also warns that these attacks are likely to continue.
“All the details indicate that the underlying attackers have maintained Auto-IT-based malware development for the past seven years, which the targets are using in surveillance campaigns consistent with Azerbaijan interests. increase.”
The CPR advisory comes a few weeks after another remote access Trojan (RAT) malware called “SparkRAT” identified its targets. East Asian organization.
