An Armenian entity was subjected to a cyberattack using an updated version of the backdoor. Octarat Enables remote access and desktop monitoring.
“The tool’s capabilities include finding and extracting files from infected machines, recording video from webcams and desktops, remotely controlling compromised machines with TightVNC, installing web shells, and performing port scans. ,” said Check Point Research. in the report.
The latest campaign is said to have launched in November 2022, marking the first time the threat actor behind the campaign has expanded its reach beyond Azerbaijan.
“The threat actors behind these attacks have been targeting human rights groups, dissidents and independent media in Azerbaijan for several years,” said the cybersecurity firm, dubbing the campaign Operation Silent Watch. I called.
Infiltration in the second half of 2022 will be significant, especially due to changes in the infection chain, measures to improve operational security, and equipping the backdoor with more ammunition.
The starting point of the attack sequence is a self-extracting archive mimicking a PDF file and marked with a PDF icon. Launching the purported “document” opens a decoy file and secretly executes malicious code hidden within the image.
OxtaRAT, a polyglot file that combines compiled AutoIT scripts and images, allows attackers to execute additional commands and files, gather sensitive information, perform reconnaissance and surveillance via webcams, and perform yet another It has a command that allows you to pivot to a location.
OxtaRAT was used by the attackers in June 2021, although it has significantly reduced functionality, indicating an attempt to constantly update its toolset and turn it into a Swiss Army knife malware.
The November 2022 attacks also stand out for several reasons. The first is that his OxtaRAT implant is already included in the .SCR file that activates the killchain instead of acting as a downloader to get the malware.
“This saves the actor from having to request additional binaries from the C&C server to draw unnecessary attention, and also prevents the main malware from being easily discovered on the infected machine. Because it looks like an image and bypasses type-specific things, it protects,” explained Check Point.
The second prominent aspect is the geofencing of command and control (C2) domains that host auxiliary tools for Armenian IP addresses.
Also worth noting is OxtaRAT’s ability to run commands for port scanning and test the speed of your internet connection. The latter could be used as a way to hide “extensive” data exfiltration.
“OxtaRAT, which was previously primarily responsible for local reconnaissance and surveillance, can now be used as an active reconnaissance pivot for other devices,” Check Point said.
“This may indicate that threat actors are preparing to expand their primary attack vector, which is currently social engineering, into infrastructure-based attacks. This could indicate that they are increasingly targeting more complex and enterprise environments.”
“Potential threat actors have maintained Auto-IT-based malware development for the past seven years and are using it in surveillance campaigns aimed at targets consistent with Azerbaijan’s interests.”
