Entities in Armenia have come under a cyber attack using an updated version of a backdoor called OxtaRAT that allows remote access and desktop surveillance.
“The tool capabilities include searching for and exfiltrating files from the infected machine, recording the video from the web camera and desktop, remotely controlling the compromised machine with TightVNC, installing a web shell, performing port scanning, and more,” Check Point Research said in a report.
The latest campaign is said to have commenced in November 2022 and marks the first time the threat actors behind the activity have expanded their focus beyond Azerbaijan.
“The threat actors behind these attacks have been targeting human rights organizations, dissidents, and independent media in Azerbaijan for several years,” the cybersecurity firm noted, calling the campaign Operation Silent Watch.
The late 2022 intrusions are significant, not least because of the changes in the infection chain, the steps taken to improve operational security, and equip the backdoor with more ammunition.
The starting point of the attack sequence is a self-extracting archive that mimics a PDF file and bears a PDF icon. Launching the purported “document” opens a decoy file while also stealthily executing malicious code hidden inside an image.
images from Hacker News