Go to listing page

OxtaRAT Surveillance Tool Used to Target Corporate Entities in Armenia

OxtaRAT Surveillance Tool Used to Target Corporate Entities in Armenia
Developers of OxtaRAT, a remote access and desktop surveillance tool, were found desperate to take their malicious campaigns to the next level as they introduced an update to it. Hackers behind the malware have added several capabilities to make it more efficient and stealthier while using it to target new geographical areas.

Infecting victims

According to Check Point researchers, since November 2022, OxtaRAT attackers have shifted their focus from the traditional targeting of Azerbaijan political entities to Armenian corporate entities.
  • The attack involved a geo-political bait wherein hackers would share an image file (.SCR) masquerading as a PDF file. It is a polyglot file that combines the image and compiled AutoIT script (the OxtaRAT).
  • Once executed, it initializes a self-extracting cab file, called Alexander_Lapshin.EXE, that further drops more files and executes one of the script files called exec.bat. 
  • The malware further opens a decoy file on the machine showing a Wikipedia article about Alexander Lapshi, a Russian-Israeli journalist and human rights activist, while OxtaRAT is executed stealthily in the background.

Earlier campaigns

OxtaRAT has been active since June 2021, used by the same attackers for various campaigns targeting Azerbaijanian entities.
  • In June 2021, it was used to target political and human rights activists working in Azerbaijan via phishing emails. The emails carried a link to a password-protected RAR archive that eventually downloaded the payload from the C2 server.
  • Two months later, a .SCR file was found under the guise of a military document. Upon execution, it displayed a PDF to the victim user, while the main malware gets downloaded from the server and executed.
  • In February 2022, the malware was used to target Abulfaz Gurbanli, an Azerbaijani political activist. Attackers lured the victim via an email pretending to be BBC journalists, urging him to click on the (malicious) link, eventually infecting him with OxtaRAT.

How is the latest campaign different?

OxtaRAT allows the attacker to steal sensitive information, perform surveillance, run additional commands, and open files on the targeted machines. However, the latest campaign caught the attention of researchers for several reasons.
  • The attack chain in this campaign is different from all the previous campaigns. Here, the OxtaRAT payload is embedded in the initial image file sent, while in previous campaigns, the file acted as a downloader, fetching the payload at a later stage.
  • Secondly, the attackers have done geofencing of the C2 domain, to protect its auxiliary tools and additional payloads from sandboxes and other analysis tools. In this case, the URL can be accessed only via Armenian IP addresses.
  • OxtaRAT is updated with around 10 additional commands for new functionality, including support for the exfiltration of new file types, recursive enumeration of files in a folder, and collection of additional metadata such as last modified date and size.

Ending notes

The recent campaign shows a shift in targeted victims as well as several enhancements in the malware and attack tactics to make it operationally secure and efficient. This indicates that the attackers are skilled and they are now looking toward targets beyond Azerbaijan. Experts suspect that this could change further and the group may penetrate other geographical areas in the coming future.
Cyware Publisher

Publisher

Cyware