A lure document targeting Azerbaijan uses steganography to conceal a remote administration Trojan.
This blog post was authored by Hossein Jazi
Threat actors often vary their techniques to thwart security defenses and increase the efficiency of their attacks. One of the tricks they use is known as steganography and consists of hiding content within images.
We recently observed a malicious Word file that uses this technique to drop a Remote Administration Trojan (RAT) that was new to us. Based on the decoy document, we assess that this attack is targeting the government and military of Azerbaijan.
Since April 2020 attackers have been taking advantage of the tensions between Azerbaijan and Armenia to target Azerbaijanis. Researchers found several actors that have exploited this conflict via phishing lures to drop AgentTesla and PoetRat. While AgentTesla has been distributed globally through different spam campaigns, PoetRat has been used specifically to target Azerbaijanis.
It seems the document we analyze in this blog has no connection with PoetRat for several reasons: The PoetRat actor has not used steganography in its malicious documents and used Python and Lua variants while the actor we analyzed has dropped a .Net rat called Fairfax which does not seem to be a .Net variant of PoetRat.
The document lure is written in Azerbaijani and talks about a “National Security and Scientific” conference that will be held in Azerbaijan in 2021.
The malicious document contains a macro that is obfuscated. The attacker has inserted random characters within the meaningful names to obfuscate the functions and variables names. Here are some of the examples:
- AddArg_OACZT_20210214_115603_xokkn_uments29 -> AddArguments29
- zixokknpPath -> zipPath
- tesOACZTtcustomdirabcdefghijklmnopqrstuvwxyzect_OACZT_20210214_115603_xokkn_ory -> testcustomdirectory
After deobfuscation, the names become clear and can easily figure out the intent of the macro.
The attacker also used another layer of obfuscation to encode strings. Function “MyFunc23” has been defined for this purpose. This function receives an array of numbers and decodes them into a string.
This function has a loop that reads four numbers of the input array in each iteration and passes them to another function to convert them to a character. At the end it concatenates those characters to build the final string.
The convertor function defines a big switch statement that returned the character equivalent of each 4 numbers.
Upon opening the document and enabling the content the macro will be executed. At first it defines the following files and directories:
- zipPath: Directory that stores the extracted zip file from png image
- appFolder: directory that stores the Rat
- runner: path of the batch file which executes the Rat
- docxPath: path of the file that keeps a copy of the current document
- docxCopyPath: Path of the zip format of the copied document
- docxUnzipFolder: Directory that contains the document after being unzipped
Then, it tries to create the appFolder directory and if it could not create the directory it exits. After creating the directory, it copies itself in a new format to the file path defined before. The reason it copies itself in a new format is because the current document is protected and even after unzipping its content the macro will not be able to find the image to extract the zip file.
To create a copy of itself, It uses “SaveAs2” function that saves the specified document with a new name or format. The string “wdFormatDocumentDefault” has been passed in as a file format parameter which saves the document as DOCX format. In this way the macro can see the image that has embedded zip file.
In the next step, it extracts the created document copy into the created folder and calls “ExtractFromPng” function to extract the embedded object from the png file. This function calls itself recursively to read all chunk identifications within the png image until it reaches the “puNk” chunk identification which is the chunk that has the embedded zip file. After finding the chunk, it extracts and writes it into “fairfax.zip”.
The “fairfax.zip” is then extracted into %APPDATA%vstelmetry directory. It contains the an executable file (Fairfax.exe) as well as a batch file (runner.bat). The executable has been written in Visual Studio and it seems the attacker archived the whole Visual Studio project.
At the end it performs some dummy functions and then executes runner.bat to execute fairfax.exe.
This is a .Net RAT that has been developed using TAP model (Task Asynchronous Programming model). This model provides an abstraction over asynchronous code. In this model each functionality can be defined as a Task and will be executed based on the external resource allocation and when other tasks complete.
This RAT is not obfuscated and contains three main functionalities:
- Download files
- Upload files
- Take screenshots
All the configurations have been stored in Global settings including appfoldername, vbfilename, host address, scheduled task info, vbfile content, and cipherkey.
All the communications with the server are AES encrypted and base64 encoded.
For network communications it has defined four different tasks to send and receive files and commands: SendFileAsync, SendAsync, ReceiveAsync and ReceiveFileAsync.
To manage the files, it has FileManager class that can get the file and save into a temp directory and also zip files.
It also has the capability to make itself persistent by creating a vbsfile and adding it to Scheduled Tasks.
Threat actors use many techniques to subvert analysis and detection; in this blog post we examined a group employing the less common technique of steganography, in which the actor hides a malicious payload within an image.
Due the geopolitical events happening between Azerbaijan and Armenia, digital attacks against these countries have increased in the past year. Cisco Talos reported a new RAT named PoetRAT which was also used to target Azerbaijan, though differences in the sample analyzed in this post suggest this RAT is not related. Malwarebytes analysts will continue to track this activity, and report on any new findings related to this threat.
MITRE ATT&CK Techniques
|Initial Access||T1566||Phishing||Distributing maldocs through phishing emails|
|Execution||T1059.003||Windows command shell||Starts CMD.EXE for commands execution|
|T1064||Scripting||Executing FairFax.exe using batch file|
|T1059.001||PowerShell||Executes PowerShell scripts|
|T1204.002||User Execution||Manual execution by user|
|Persistence||T1053.005||Scheduled Task||Uses Task Scheduler for persistence|
|Defense Evasion||T1140||Deobfuscate/Decode Files or Information||The RAT has the ability to decode base
64 data and decrypt AES encrypted data
|Colletion||T1113||Screen Capture||The RAT has the ability to capture the screen|
|T1560.001||Archive Collected Data: Archive via Utility||The RAT archived files using zip utility|
|Command and Control||T1071.001||Application Layer Protocol: Web Protocols||Using HTTPS for C2 communications|
|T1132.001||Data Encoding: Standard Encoding||C2 traffic are base64 encoded and AES encrypted|
|Exfiltration||T1041||Exfiltration Over C2 Channel||Exfiltrates the data over C2|