Targets situated in Azerbaijan have been singled out as section of a new marketing campaign which is built to deploy Rust-dependent malware on compromised techniques.
Cybersecurity business Deep Instinct is tracking the procedure beneath the title Operation Rusty Flag. It has not been linked with any regarded threat actor or team.
“The operation has at minimum two distinct first access vectors,” security researchers Simon Kenin, Ron Ben Yizhak, and Mark Vaitzman reported in an examination published very last 7 days. “A person of the lures used in the operation is a modified doc that was utilised by the Storm-0978 group. This could be a deliberate ‘false flag.'”
The attack chain leverages an LNK file named 1.KARABAKH.jpg.lnk as a launchpad to retrieve a 2nd-stage payload, an MSI installer, hosted on Dropbox.
The installer file, for its section, drops an implant written in Rust, an XML file for a scheduled undertaking to execute the implant, and a decoy image file that attributes watermarks of the symbol of the Azerbaijan Ministry of Defense.
An alternate infection vector is a Microsoft Office doc named “Overview_of_UWCs_UkraineInNATO_marketing campaign.docx,” which exploits CVE-2017-11882, a 6-12 months-previous memory corruption vulnerability in Microsoft Office’s Equation Editor, to invoke a Dropbox URL hosting a distinct MSI file serving a variant of the very same Rust backdoor.
The use of Overview_of_UWCs_UkraineInNATO_campaign.docx is noteworthy, as a entice with the exact filename was leveraged by Storm-0978 (aka RomCom, Tropical Scorpius, UNC2596, and Void Rabisu) in latest cyber attacks focusing on Ukraine that exploit an Workplace remote code execution flaw (CVE-2023-36884).
Forthcoming WEBINARIdentity is the New Endpoint: Mastering SaaS Security in the Modern day Age
Dive deep into the potential of SaaS security with Maor Bin, CEO of Adaptive Defend. Find out why identification is the new endpoint. Secure your location now.
Supercharge Your Expertise
“This action seems like a deliberate false flag attempt to pin this attack on Storm-0978,” the scientists claimed.
The Rust backdoor, one of which masquerades as “WinDefenderHealth.exe,” will come fitted with abilities to get info from the compromised host and send it to an attacker-managed server.
The exact conclusion plans of the campaign continue being unclear at this phase. At the same time, the possibility that it could be a pink team exercising has not been discounted.
“Rust is turning into much more preferred among malware authors,” the scientists stated. “Security products are not yet detecting Rust malware precisely, and the reverse engineering procedure is more sophisticated.”
Uncovered this posting exciting? Stick to us on Twitter and LinkedIn to study far more distinctive content we submit.
Some parts of this short article are sourced from: