Check Point Research uncovers a malicious campaign targeting Armenian based targets

Highlights:

  • Amid rising tensions between Azerbaijan and Armenia, Check Point Research identified a malicious campaign against entities in Armenia
  • Malware used in the campaign aims to remotely control compromised machines and carry out surveillance operations
  • CPR analysis shows clear indication of these attackers targeting corporate environments of Armenian targets
  • Check Point’s Threat Prevention provides protection against the malware described in this research

Rising tension between Azerbaijan and Armenia fetches malicious campaigns

The Republic of Artsakh, also known as the Nagorno-Karabakh Republic, is a breakaway region in the South Caucasus. With a majority ethnic Armenian population, it is recognized internationally as part of Azerbaijan. It is a de facto enclave within Azerbaijan, with the only land route to Armenia through the Lachin corridor, which has been under the control of Russian peacekeepers since the end of the Second Nagorno-Karabakh War in 2020. The situation in Artsakh is tense, with frequent ceasefire violations and sporadic outbreaks of violence. For more than two decades, this unresolved, highly militarized ethno-nationalist territorial conflict continues to be a source of tension between Armenia and Azerbaijan.

Amid rising tensions since late 2022, Check Point Research identified a malicious campaign against entities in Armenia. The malware distributed in this campaign is a new version of a backdoor we track as OxtaRAT, an AutoIt-based tool for remote access and desktop surveillance.

The tool capabilities include searching for and exfiltrating files from the infected machine, recording the video from the web camera and desktop, remotely controlling the compromised machine, installing web shell, performing port scanning and more.

Figure 1 – The infection chain of the campaign

Compared to previous campaigns of this threat actor, the latest campaign from November 2022 presents changes in the infection chain, improved operational security and new functionality to improve the ways to steal the victim’s data.

The threat actors behind these attacks have been targeting human rights organizations, dissidents, and independent media in Azerbaijan for several years. This is the first time there is a clear indication of these attackers using OxtaRAT against Armenian targets and targeting corporate environments.

Previous campaigns

Although not widely discussed, previous versions of the OxtaRAT backdoor were used in earlier attacks against Azerbaijani political and human rights activists – or, when the targets were not disclosed publicly, their lures referenced Azerbaijan-Armenia tensions around Artsakh. The older versions of OxtaRAT have significantly less functionality than the new variant but contain similar code and names for most of the commands and the same C&C communication pattern.

Check Point Customer remain protected against the threat described in this research

Harmony Endpoint provides comprehensive endpoint protection at the highest security level, enriched by the power of ThreatCloud. ThreatCloud, the brain behind all of Check Point’s products, combines the latest AI technologies with big data threat intelligence to prevent the most advanced attacks- crucial to avoid security breaches and data compromises.

TE: Trojan.WIN.OxtaRAT.A

In addition, Check Point customers remain protected against the threat described in this research with

Anti Bot protections :

Trojan.WIN32.OxtaRAT.A

Trojan.WIN32.OxtaRAT.B