Headline
Rust Implant Used in New Malware Campaign Against Azerbaijan
By Waqas KEY FINDINGS Organizations should take steps to protect themselves from this campaign by keeping software up to date,… This is a post from HackRead.com Read the original post: Rust Implant Used in New Malware Campaign Against Azerbaijan
KEY FINDINGS
A new malware campaign targeting Azerbaijani targets has been discovered.
The campaign uses a novel malware implant written in the Rust programming language.
The implant is difficult to detect by security solutions and reverse engineering.
The attackers used a decoy image file of the Azerbaijani MOD symbol in the campaign.
Organizations should take steps to protect themselves from this campaign by keeping software up to date, educating employees about cybersecurity best practices, and using a comprehensive security solution.
A new malware campaign targeting Azeri infrastructure has been discovered by the Deep Instinct Threat Lab. The campaign is notable for its use of a novel malware implant written in the Rust programming language.
The campaign has at least two different initial access vectors. The first is a malicious LNK file with the filename “1.KARABAKH.jpg.lnk.” This file has a double extension to lure the victim into clicking on it, as it appears to be an image file related to the recent military conflict in Nagorno-Karabakh.
The LNK file downloads and executes an MSI installer hosted on Dropbox. This installer then drops an implant written in Rust, an XML file for a scheduled task to execute the implant, and a decoy image file. The image file includes watermarks of the symbol of the Azerbaijani Ministry of Defense (MOD).
Decoy image file and the invoice (Credit: Deep Instinct Threat Lab)
The second initial access vector is a modified version of a document that was previously used by the Storm-0978 group. This document exploits CVE-2017-11882 in Microsoft Equation Editor to download and install a malicious MSI file. This MSI file also drops a variant of the same Rust implant, as well as a decoy PDF invoice.
Once the Rust implant is executed, it goes to sleep for 12 minutes. This is a known method to avoid detection by security researchers and sandboxes. The implant is then expected to gather information and send it to the attacker’s server.
According to Deep Instinct Threat Lab’s blog post, could not attribute these attacks to any known threat actor. However, the fact that both Rust implants had zero detections when first uploaded to VirusTotal shows that writing malware in esoteric languages can bypass many security solutions.
The campaign attack flow (Credit: Deep Instinct Threat Lab)
Implications of the Campaign
The use of a Rust implant in this campaign is significant for several reasons. First, Rust is a relatively new programming language, and it is not yet widely used by malware authors. This makes it more difficult for security products to detect Rust malware.
Second, Rust is a compiled language, which means that the malware is converted into machine code before it is executed. This makes it more difficult to reverse engineer the malware.
Azerbaijan and Armenia have been engaged in several conflicts, which have witnessed a significant number of cyber attacks. However, it’s essential not to overlook or dismiss recent tensions between Azerbaijan and Iran as a potential cause of this malware campaign.
Recommendations for Organizations
Organizations should take the following steps to protect themselves from this campaign and other similar attacks:
- Keep software up to date, including operating systems and security solutions.
- Be careful about clicking on links in emails and messages, even if they appear to be from known senders.
- Educate employees about cybersecurity best practices, such as phishing awareness and password security.
- Use a security solution that can detect and block malware written in esoteric languages.
Conclusion
This new malware campaign targeting Azerbaijani targets serves as a reminder that attackers are continuously developing new techniques to bypass security solutions. Organizations must take the necessary steps to safeguard themselves from these threats.
While common sense is a valuable defence against such attacks, organizations should also contemplate transitioning their infrastructure from Windows to Linux as an additional security measure.
Related news
Spanish speakers beware! A new campaign using the Agent Tesla RAT targets Spanish-speaking individuals. Learn how to protect…
The U.S. Justice Department (DoJ) on Friday announced the seizure of online infrastructure that was used to sell a remote access trojan (RAT) called Warzone RAT. The domains – www.warzone[.]ws and three others – were "used to sell computer malware used by cybercriminals to secretly access and steal data from victims' computers," the DoJ said. Alongside the takedown, the
The threat actor referred to as Cloud Atlas has been linked to a set of spear-phishing attacks on Russian enterprises. Targets included a Russian agro-industrial enterprise and a state-owned research company, according to a report from F.A.C.C.T., a standalone cybersecurity company formed after Group-IB's formal exit from Russia earlier this year. Cloud Atlas, active since at
A new variant of the Agent Tesla malware has been observed delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers. "ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR," G Data malware analyst Anna Lvova said in a Monday analysis.
By Deeba Ahmed FortiGuard Discovers Phishing Campaign Distributing New Agent Tesla Variant to Windows Devices. This is a post from HackRead.com Read the original post: New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs
The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. “APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” NSFOCUS Security Labs said in a report published last week. APT34, also known by
CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.
Over a dozen military-industrial complex enterprises and public institutions in Afghanistan and Europe have come under a wave of targeted attacks since January 2022 to steal confidential data by simultaneously making use of six different backdoors. Russian cybersecurity firm Kaspersky attributed the attacks "with a high degree of confidence" to a China-linked threat actor tracked by Proofpoint
By Deeba Ahmed Research reveals that around 80% of all malware attacks used MS Office flaws. Atlas VPN has shared its… This is a post from HackRead.com Read the original post: Microsoft Office Most Exploited Software in Malware Attacks – Report
The dangerous malware appears to be well and truly back in action, sporting new variants and security-dodging behaviors in a wave of recent phishing campaigns.
The malware is using spreadsheets, documents, and other types of Microsoft Office attachments in a new and improved version that is often able to bypass email gateway-security scanners.
Notable new infection chain uses PDF to embed malicious files, load remote exploits, shellcode encryption, and more, new research shows.
Microsoft Word also leveraged in the email campaign, which uses a 22-year-old Office RCE bug.
An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021. Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2)