cyber attack

The attack against the government of Azerbaijan

Since April 2020, have been using the tension between Azerbaijan and Armenia to target Azerbaijanis. Researchers discovered that several group used phishing bait to distribute AgentTesla and PoetRat. PoetRat is specifically used to locate users in Azerbaijan.

Researchers found a malicious word document, and the malicious document finally distributed the Fairfax remote access Trojan through a series of executions. According to the content of the document, the attack is suspected to be aimed at the Azerbaijani government and military.

Analysis

The bait of the document was written in Azerbaijan and discussed the “National Security and Science” conference to be held in Azerbaijan in 2021.

azerbaijan poetrat

The malicious document contains obfuscated macros. The attacker inserted random characters into the VBA to confuse the names of functions and variables. Here are some examples:

  • AddArg_OACZT_20210214_115603_xokkn_uments29 -> AddArguments29
  • zixokknpPath -> zipPath
  • tesOACZTtcustomdirabcdefghijklmnopqrstuvwxyzect_OACZT_20210214_115603_xokkn_ory -> testcustomdirectory

The malicious document was finally released and executed fairfax.exe. FairFax is a .Net  developed using the TAP model (task asynchronous programming model) . In this model, each function can be defined as a task and will be executed when external resource allocation and other tasks are completed.

 clip_image002

IOCs

111.90.150.37
vnedoprym.kozow.com


74393a272d26f540a735301332e94674
02ddb1460fb76e7cb3aae4bc95e2a0f1
45240ff7c05f9b2081a438c52be8dcd9
bf29519bb100f55cdf05ec8f5b6c8cdb
a2bbc8c6431bad3b8b420f4504ec70e2bfdff397
b4bc0fa90fd0322d8b094b18c1cdb389464df1e4
0d22130b21f6b63a8b0c872a963206fb9beedeaa
fe5ba405b7ee5dafd700afdfd88efce4667acb0e
ef02527858797356c5e8571c5a22d00c481fbc9ce73c81a341d482ea3776878a
909a94451d2640f89ec25aebcede14f238ead06b94f28544a99f4ecc2411b3b5
ab0f4d290f3d4532896dea80563e342c825b12e0111c2d54eac62b1b942b854b
69e880b0545330b8e6d1543c47d89b4907fb79899b40c2478c591225ffc551ce