The OxtaRAT malware campaign targets Armenian companies

March 9, 2023
OxtaRAT Malware Cyberattack Campaign Armenian Companies

The OxtaRAT malware developers have upgraded their operations by updating their remote access and desktop surveillance tool. Based on reports, the threat actors behind this malware have added multiple capabilities to make it stealthier while targeting new regions globally.

A researcher revealed that the OxtaRAT attackers had transitioned their operations from targeting Azerbaijan political entities to Armenian corporate firms. This sudden shift started in November last year.

 

The OxtaRAT malware operators have used a malicious PDF file to execute their attacks.

 

The OxtaRAT malware campaign contained a geo-political lure wherein the attackers would share an image file that pretends to be a legitimate PDF archive. However, the PDF file is a polyglot archive that mixes the image and compiles the AutoIT script.

Subsequently, the malware starts a self-extracting cab file, dubbed Alexander_Lapshin.EXE, that further deploys additional files and runs one of the script files upon execution.

In addition, the malware further opens a decoy file on the machine displaying a Wikipedia article regarding Alexander Lapshi, a Russian-Israeli human rights activist. However, the malware executes itself in the background while the target reads the displayed information.

The previous OxtaRAT malware enables operators to run additional commands, perform surveillance, steal sensitive information, and open files on the targeted machines. Unfortunately, the new OxtaRAT could provide its hackers with new capabilities and additional features.

The researchers explained that the new OxtaRAT payload is attached in the initial image file, unlike in the previous campaign, where the file acted as a downloader that fetches the payload later in the attack.

Additionally, the attackers have geofenced their command-and-control server to protect their tools and additional payloads from security defenders and other analysis tools.

The malware developers added about ten additional commands in OxtaRAT’s new functionality, including support for the exfiltration of unknown file types, recursive enumeration of files in a folder and gathering new metadata such as the last modification of date and size.

Cybersecurity experts expect that the OxtaRAT operators could make further changes and could breach more regions soon.

About the author

Leave a Reply