Armenian organizations affected by new version of OxtaRAT spy tool
Cybersecurity experts are sure that geopolitics became the reason for organizing the malicious campaign.
Last November, organizations in Armenia were cyberattacked using an updated version of a backdoor called OxtaRAT, which allows remote access and desktop monitoring. Cybersecurity specialists from the company checkpoint link these attacks with the difficult geopolitical situation between Armenia and Azerbaijan.
The campaign reportedly launched in November 2022 and marked the first time that the hackers behind the attack have expanded their operations outside of Azerbaijan. Previously, they attacked human rights organizations, dissidents and independent Azerbaijani media.
“The capabilities of the OxtaRAT tool include finding and deleting files from an infected computer, recording video from a webcam and desktop, remote control of a compromised computer, installing a web shell, port scanning, and much more,” the report says. report checkpoint.
The attack was not without the notorious social engineering. The starting point was a self-extracting “.scr” archive with a clickbait name. The archive mimics a PDF file and has a corresponding icon. Running the intended “document” opens a decoy file that decompresses a few more files in the background payload and executes malicious code embedded in a normal “.png” image using AutoIt-script.
Scheme of activation and deployment of OxtaRAT
OxtaRAT allows cybercriminals to send malicious commands and files, collect sensitive information, conduct reconnaissance and surveillance using a webcam. The malware was first used back in June 2021, albeit with significantly reduced functionality. This indicates that the developers of this malicious software are constantly improving it.
Compared to previous campaigns using OxtaRAT, the latest November campaign introduces changes to the infection chain, improved operational security, and new functionality to improve the way victim data is stolen.
CheckPoint specialists named this malicious campaign “Silent Watch”, but did not mention the name under which they track this hacker group. The development of the malware indicates that attackers are preparing to expand their main attack vector, which is currently social engineering, to infrastructure attacks that affect corporate environments rather than individual users.