Since April 2020, attackers have been using the tension between Azerbaijan and Armenia to target Azerbaijanis. Researchers discovered that several group used phishing bait to distribute AgentTesla and PoetRat. PoetRat is specifically used to locate users in Azerbaijan.
Researchers found a malicious word document, and the malicious document finally distributed the Fairfax remote access Trojan through a series of executions. According to the content of the document, the attack is suspected to be aimed at the Azerbaijani government and military.
The bait of the document was written in Azerbaijan and discussed the “National Security and Science” conference to be held in Azerbaijan in 2021.
The malicious document contains obfuscated macros. The attacker inserted random characters into the VBA to confuse the names of functions and variables. Here are some examples:
- AddArg_OACZT_20210214_115603_xokkn_uments29 -> AddArguments29
- zixokknpPath -> zipPath
- tesOACZTtcustomdirabcdefghijklmnopqrstuvwxyzect_OACZT_20210214_115603_xokkn_ory -> testcustomdirectory
The malicious document was finally released and executed fairfax.exe. FairFax is a .Net RAT developed using the TAP model (task asynchronous programming model) . In this model, each function can be defined as a task and will be executed when external resource allocation and other tasks are completed.