A lure document targeting Azerbaijan uses steganography to conceal a remote administration Trojan.

This blog post was authored by Hossein Jazi

Threat actors often vary their techniques to thwart security defenses and increase the efficiency of their attacks. One of the tricks they use is known as steganography and consists of hiding content within images.

We recently observed a malicious Word file that uses this technique to drop a Remote Administration Trojan (RAT) that was new to us. Based on the decoy document, we assess that this attack is targeting the government and military of Azerbaijan.

Since April 2020 attackers have been taking advantage of the tensions between Azerbaijan and Armenia to target Azerbaijanis. Researchers found several actors that have exploited this conflict via phishing lures to drop AgentTesla and PoetRat. While AgentTesla has been distributed globally through different spam campaigns, PoetRat has been used specifically to target Azerbaijanis.

It seems the document we analyze in this blog has no connection with PoetRat for several reasons: The PoetRat actor has not used steganography in its malicious documents and used Python and Lua variants while the actor we analyzed has dropped a .Net rat called Fairfax which does not seem to be a .Net variant of PoetRat.

Maldoc analysis

The document lure is written in Azerbaijani and talks about a “National Security and Scientific” conference that will be held in Azerbaijan in 2021.

, New steganography attack targets Azerbaijan
Figure 1: Maldoc lure content

The malicious document contains a macro that is obfuscated. The attacker has inserted random characters within the meaningful names to obfuscate the functions and variables names. Here are some of the examples:

  • AddArg_OACZT_20210214_115603_xokkn_uments29 -> AddArguments29
  • zixokknpPath -> zipPath
  • tesOACZTtcustomdirabcdefghijklmnopqrstuvwxyzect_OACZT_20210214_115603_xokkn_ory -> testcustomdirectory

After deobfuscation, the names become clear and can easily figure out the intent of the macro.

, New steganography attack targets Azerbaijan
Figure 2: Macro after deobfuscation

The attacker also used another layer of obfuscation to encode strings. Function “MyFunc23” has been defined for this purpose. This function receives an array of numbers and decodes them into a string.

This function has a loop that reads four numbers of the input array in each iteration and passes them to another function to convert them to a character. At the end it concatenates those characters to build the final string.

, New steganography attack targets Azerbaijan
Figure 3: decoder function

The convertor function defines a big switch statement that returned the character equivalent of each 4 numbers.

, New steganography attack targets Azerbaijan
Figure 4: Convertor function

Upon opening the document and enabling the content the macro will be executed. At first it defines the following files and directories:

  • zipPath: Directory that stores the extracted zip file from png image
  • appFolder: directory that stores the Rat
  • runner: path of the batch file which executes the Rat
  • docxPath: path of the file that keeps a copy of the current document
  • docxCopyPath: Path of the zip format of the copied document
  • docxUnzipFolder: Directory that contains the document after being unzipped
, New steganography attack targets Azerbaijan
Figure 5: Define names

Then, it tries to create the appFolder directory and if it could not create the directory it exits. After creating the directory, it copies itself in a new format to the file path defined before. The reason it copies itself in a new format is because the current document is protected and even after unzipping its content the macro will not be able to find the image to extract the zip file.

, New steganography attack targets Azerbaijan
Figure 6: Creates a copy of itself

To create a copy of itself, It uses “SaveAs2” function that saves the specified document with a new name or format. The string “wdFormatDocumentDefault” has been passed in as a file format parameter which saves the document as DOCX format. In this way the macro can see the image that has embedded zip file.

, New steganography attack targets Azerbaijan
Figure 7: Save as function

In the next step, it extracts the created document copy into the created folder and calls “ExtractFromPng” function to extract the embedded object from the png file. This function calls itself recursively to read all chunk identifications within the png image until it reaches the “puNk” chunk identification which is the chunk that has the embedded zip file. After finding the chunk, it extracts and writes it into “fairfax.zip”.

, New steganography attack targets Azerbaijan
Figure out 8: Extract zip file from png
, New steganography attack targets Azerbaijan
Figure 9: Chunk identification

The “fairfax.zip” is then extracted into %APPDATA%vstelmetry directory. It contains the an executable file (Fairfax.exe) as well as a batch file (runner.bat). The executable has been written in Visual Studio and it seems the attacker archived the whole Visual Studio project.

, New steganography attack targets Azerbaijan
Figure 10: Fairfax directory

At the end it performs some dummy functions and then executes runner.bat to execute fairfax.exe.

, New steganography attack targets Azerbaijan
Figure 11: Execute runner.bat

FairFax.exe:

This is a .Net RAT that has been developed using TAP model (Task Asynchronous Programming model). This model provides an abstraction over asynchronous code. In this model each functionality can be defined as a Task and will be executed based on the external resource allocation and when other tasks complete.

, New steganography attack targets Azerbaijan
Figure 12: Main

This RAT is not obfuscated and contains three main functionalities:

  • Download files
  • Upload files
  • Take screenshots
, New steganography attack targets Azerbaijan
Figure 13: Main functionalities

All the configurations have been stored in Global settings including appfoldername, vbfilename, host address, scheduled task info, vbfile content, and cipherkey.

, New steganography attack targets Azerbaijan
Figure 14: Global settings

All the communications with the server are AES encrypted and base64 encoded.

, New steganography attack targets Azerbaijan
Figure 15: Decryption function
, New steganography attack targets Azerbaijan
Figure 16: Encryption Function

For network communications it has defined four different tasks to send and receive files and commands: SendFileAsync, SendAsync, ReceiveAsync and ReceiveFileAsync.

, New steganography attack targets Azerbaijan
Figure 17: Network communications

To manage the files, it has FileManager class that can get the file and save into a temp directory and also zip files.

, New steganography attack targets Azerbaijan
Figure 18: File manager

It also has the capability to make itself persistent by creating a vbsfile and adding it to Scheduled Tasks.

, New steganography attack targets Azerbaijan
Figure 19: Scheduled task

Conclusion

Threat actors use many techniques to subvert analysis and detection; in this blog post we examined a group employing the less common technique of steganography, in which the actor hides a malicious payload within an image.

Due the geopolitical events happening between Azerbaijan and Armenia, digital attacks against these countries have increased in the past year. Cisco Talos reported a new RAT named PoetRAT which was also used to target Azerbaijan, though differences in the sample analyzed in this post suggest this RAT is not related. Malwarebytes analysts will continue to track this activity, and report on any new findings related to this threat.

, New steganography attack targets Azerbaijan

IOCs

File Name SHA256
telebler.doc ef02527858797356c5e8571c5a22d00c481fbc9ce73c81a341d482ea3776878a
Fairfax.zip 4ad451a1c07d1760a0586c3c5132a68539d98198c402f4fc2b42b954ea9f76d7
auroraXXXX.zip
auroraXXXX.docx
0573926b05c34af23c7003cc0a30cfc682335f7e787958f9be7e6804edacd0a1
image1.png f33db9011c69e6f4b13c765f77466de023f442d8a75bce8ab450f4978275671a
runner.bat 909a94451d2640f89ec25aebcede14f238ead06b94f28544a99f4ecc2411b3b5
Fairfax.exe ab0f4d290f3d4532896dea80563e342c825b12e0111c2d54eac62b1b942b854b
Fairfax.exe 69e880b0545330b8e6d1543c47d89b4907fb79899b40c2478c591225ffc551ce

C2:
vnedoprym.kozow[.]com
111.90.150[.]37

MITRE ATT&CK Techniques

Tactic Id Name Details
Initial Access T1566 Phishing Distributing maldocs through phishing emails
Execution T1059.003 Windows command shell Starts CMD.EXE for commands execution
T1064 Scripting Executing FairFax.exe using batch file
  T1059.001 PowerShell Executes PowerShell scripts
T1204.002 User Execution Manual execution by user
Persistence T1053.005 Scheduled Task Uses Task Scheduler for persistence
Defense Evasion T1140 Deobfuscate/Decode Files or Information The RAT has the ability to decode base
64 data and decrypt AES encrypted data
Colletion T1113 Screen Capture The RAT has the ability to capture the screen
T1560.001 Archive Collected Data: Archive via Utility The RAT archived files using zip utility
Command and Control T1071.001 Application Layer Protocol: Web Protocols Using HTTPS for C2 communications
T1132.001 Data Encoding: Standard Encoding C2 traffic are base64 encoded and AES encrypted
Exfiltration T1041 Exfiltration Over C2 Channel Exfiltrates the data over C2