OxtaRAT Malware Surge Targets Armenia Amidst Tensions
Cybersecurity experts have sounded the alarm over a recent surge in malicious activity involving a sophisticated malware strain called OxtaRAT. This remote access Trojan (RAT) has been linked to threat actors aligned with Azerbaijani interests, with a new campaign targeting Armenian entities in November 2022.
OxtaRAT, first spotted in 2015, is a polyglot file combining an AutoIT script and an image, designed for stealth and evasion. It boasts an array of capabilities, including file exfiltration, video recording, remote control, web shell installation, and port scanning. Previous campaigns have focused on Azerbaijani political activists, human rights defenders, and entities related to Artsakh/Nagorno-Karabakh tensions.
The latest campaign, however, marked a significant shift. For the first time, OxtaRAT was used against Armenian individuals and corporations. The attacks occurred amidst escalating tensions between Azerbaijan and Armenia over the Lachin corridor. Check Point Research, who discovered the campaign, warns that these attacks are likely to continue.
The November 2022 campaign featured enhancements in operational security and new data theft functionality. The infection chain also showed changes, suggesting the threat actors are continually evolving their tactics. Check Point Research has provided indicators of compromise (IOCs) to help organizations detect and mitigate potential infections.
The OxtaRAT backdoor remains a serious threat, with recent activity indicating a broadening of targets to include Armenian entities. Organizations in East Asia, particularly those in Armenia, should remain vigilant and take necessary precautions to protect against this sophisticated malware. Further attacks are anticipated, and prompt action based on the provided IOCs is advised.
