Operation Rusty Flag: Azerbaijan Targeted in New Rust-Based Malware Campaign

Sep 19, 2023THNCyber Attack / Threat Intel

Targets located successful Azerbaijan person been singled retired arsenic portion of a caller run that's designed to deploy Rust-based malware connected compromised systems.

Cybersecurity steadfast Deep Instinct is tracking the cognition nether the sanction Operation Rusty Flag. It has not been associated with immoderate known menace histrion oregon group.

"The cognition has astatine slightest 2 antithetic archetypal entree vectors," information researchers Simon Kenin, Ron Ben Yizhak, and Mark Vaitzman said successful an investigation published past week. "One of the lures utilized successful the cognition is simply a modified papers that was utilized by the Storm-0978 group. This could beryllium a deliberate 'false flag.'"

The onslaught concatenation leverages an LNK record named 1.KARABAKH.jpg.lnk arsenic a launchpad to retrieve a second-stage payload, an MSI installer, hosted connected Dropbox.

The installer file, for its part, drops an implant written successful Rust, an XML record for a scheduled task to execute the implant, and a decoy representation record that features watermarks of the symbol of the Azerbaijan Ministry of Defense.

An alternate corruption vector is simply a Microsoft Office papers named "Overview_of_UWCs_UkraineInNATO_campaign.docx," which exploits CVE-2017-11882, a six-year-old representation corruption vulnerability successful Microsoft Office's Equation Editor, to invoke a Dropbox URL hosting a antithetic MSI record serving a variant of the aforesaid Rust backdoor.

The usage of Overview_of_UWCs_UkraineInNATO_campaign.docx is noteworthy, arsenic a lure with the aforesaid filename was leveraged by Storm-0978 (aka RomCom, Tropical Scorpius, UNC2596, and Void Rabisu) successful caller cyber attacks targeting Ukraine that exploit an Office distant codification execution flaw (CVE-2023-36884).

Dive heavy into the aboriginal of SaaS information with Maor Bin, CEO of Adaptive Shield. Discover wherefore individuality is the caller endpoint. Secure your spot now.

"This enactment looks similar a deliberate mendacious emblem effort to pin this onslaught connected Storm-0978," the researchers said.

The Rust backdoor, 1 of which masquerades arsenic "WinDefenderHealth.exe," comes fitted with capabilities to stitchery accusation from the compromised big and nonstop it to an attacker-controlled server.

The nonstop extremity goals of the run stay unclear astatine this stage. At the aforesaid time, the anticipation that it could beryllium a reddish squad workout has not been discounted.

"Rust is becoming much fashionable among malware authors," the researchers said. "Security products are not yet detecting Rust malware accurately, and the reverse engineering process is much complex."

Found this nonfiction interesting? Follow america connected Twitter  and LinkedIn to work much exclusive contented we post.