Armenia and Azerbaijan Hackers Use OxtaRAT to Monitor Conflict

Written by

A malicious campaign conducted against entities in Armenia in November 2022 has been spotted by security researchers at Check Point Research (CPR). According to a Thursday advisory, the campaign relied on a backdoor tracked by the security firm as OxtaRAT.

“The newest version of OxtaRAT is a polyglot file, which combines compiled AutoIT script and an image,” reads the technical write-up.

“The tool capabilities include searching for and exfiltrating files from the infected machine, recording the video from the web camera and desktop, remotely controlling the compromised machine with TightVNC, installing a web shell, performing port scanning, and more.”

According to CPR, the malicious campaign was executed amid rising tensions between Azerbaijan and Armenia over the Lachin corridor in late 2022.

“All of the samples from this campaign and earlier ones are related to Azerbaijani government interests; they either targeted Azerbaijani political and human rights activists or, if the targets were not disclosed publicly, reference tensions between Azerbaijan and Armenia over Artsakh/Nagorno-Karabakh,” CPR wrote.

However, the company clarified that the new campaign represents the first instance of these attackers using OxtaRAT against Armenian individuals and corporations. Further, CPR added that the November 2022 campaign differed from previous activity conducted by the threat actors.

“[It] presents changes in the infection chain, improved operational security, and new functionality to improve the ways to steal the victim’s data.”

In the advisory, CPR provides defenders with indicators of compromise (IOCs) connected with the recent OxtaRAT attacks. The company also warns them that these attacks are likely to continue.

“All the details indicate that the underlying threat actors have been maintaining the development of Auto-IT based malware for the last seven years and are using it in surveillance campaigns whose targets are consistent with Azerbaijani interests.”

The CPR advisory comes weeks after a separate remote access Trojan (RAT) malware dubbed "SparkRAT" was spotted targeting East Asian organizations.

What’s hot on Infosecurity Magazine?