Targets located in Azerbaijan have been singled out as part of a new campaign that’s designed to deploy Rust-based malware on compromised systems.
Cybersecurity firm Deep Instinct is tracking the operation under the name Operation Rusty Flag. It has not been associated with any known threat actor or group.
“The operation has at least two different initial access vectors,” security researchers Simon Kenin, Ron Ben Yizhak, and Mark Vaitzman said in an analysis published last week. “One of the lures used in the operation is a modified document that was used by the Storm-0978 group. This could be a deliberate ‘false flag.'”
The attack chain leverages an LNK file named 1.KARABAKH.jpg.lnk as a launchpad to retrieve a second-stage payload, an MSI installer, hosted on Dropbox.
The installer file, for its part, drops an implant written in Rust, an XML file for a scheduled task to execute the implant, and a decoy image file that features watermarks of the symbol of the Azerbaijan Ministry of Defense.
An alternate infection vector is a Microsoft Office document named “Overview_of_UWCs_UkraineInNATO_campaign.docx,” which exploits CVE-2017-11882, a six-year-old memory corruption vulnerability in Microsoft Office’s Equation Editor, to invoke a Dropbox URL hosting a different MSI file serving a variant of the same Rust backdoor.
The use of Overview_of_UWCs_UkraineInNATO_campaign.docx is noteworthy, as a lure with the same filename was leveraged by Storm-0978 (aka RomCom, Tropical Scorpius, UNC2596, and Void Rabisu) in recent cyber attacks targeting Ukraine that exploit an Office remote code execution flaw (CVE-2023-36884).
Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM
Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.
“This action looks like a deliberate false flag attempt to pin this attack on Storm-0978,” the researchers said.
The Rust backdoor, one of which masquerades as “WinDefenderHealth.exe,” comes fitted with capabilities to gather information from the compromised host and send it to an attacker-controlled server.
The exact end goals of the campaign remain unclear at this stage. At the same time, the possibility that it could be a red team exercise has not been discounted.
“Rust is becoming more popular among malware authors,” the researchers said. “Security products are not yet detecting Rust malware accurately, and the reverse engineering process is more complex.”