1
00:00:01,600 --> 00:00:12,599
Produced by PI Media July seventh,
twenty twenty one. According to secure hosting

2
00:00:12,640 --> 00:00:20,160
provider quarium Quote, several prominent human
rights and political activists in Azerbaijan end quote

3
00:00:20,440 --> 00:00:26,280
all received the same email, perpetrating
to come from the NGEO Human Rights Watch.

4
00:00:26,879 --> 00:00:33,039
The sender was maybe a little on
the nose human rights do invoicer at

5
00:00:33,200 --> 00:00:38,039
gmail dot com. The body of
the mail began quote, we present a

6
00:00:38,079 --> 00:00:45,000
new project for Azerbaijani political and human
right activists end quote. The message prompted

7
00:00:45,079 --> 00:00:51,119
targets to download an invoiced document,
which, upon being extracted, presented an

8
00:00:51,200 --> 00:00:58,280
error message unsupported Microsoft word version file
corrupted with an error number. If it

9
00:00:58,320 --> 00:01:04,879
weren't already obvious that this was an
attack, the multiple misspelled words like unsupported

10
00:01:04,920 --> 00:01:11,799
with two ohs and number without B
might have given it away. Any victim

11
00:01:11,920 --> 00:01:18,319
that reached this point had, perhaps
unbeknownst to them, downloaded malware to their

12
00:01:18,359 --> 00:01:25,079
computer, Malware with the ability to
remotely execute commands, steal or upload files,

13
00:01:25,120 --> 00:01:30,680
and record their screens or webcam feeds. Perhaps because the fishing was so

14
00:01:30,760 --> 00:01:37,840
simplistic enough activists cut on before they
got to that point. But this campaign

15
00:01:38,280 --> 00:01:42,879
was merely a harbinger of worse things
to come. High listeners, I'm rand

16
00:01:42,920 --> 00:01:57,200
Levy. Welcome to a somewhat unique
episode of CP Radio to give people some

17
00:01:57,239 --> 00:02:00,599
sense of the gravity of this situation
of why is it that we are distorting

18
00:02:00,640 --> 00:02:07,560
our voice for this episode. So
we're going to discuss sensitive topics that potentially

19
00:02:07,560 --> 00:02:15,479
involve nation state actors. So we
want to protect the identity of all the

20
00:02:15,680 --> 00:02:22,960
researchers that are involved in this.
We've covered nation state attacks plenty of times

21
00:02:23,000 --> 00:02:28,080
on this podcast. Perhaps some precaution
is warranted in this case. However,

22
00:02:28,479 --> 00:02:34,800
because of how commonly the individuals who
speak out on this conflict find themselves targeted

23
00:02:34,879 --> 00:02:42,120
for it. We're talking about a
highly charged environment. So the political context

24
00:02:42,280 --> 00:02:46,680
of the story we're going to talk
today about is based on the conflict,

25
00:02:47,000 --> 00:02:53,719
which is not a very known outside
the region. It at all involves Azerbaijan

26
00:02:53,879 --> 00:03:00,400
and Armenia, the two countries in
South Caucuses between the Caspian and Black Sees,

27
00:03:00,759 --> 00:03:06,199
just east of Turkey and north of
Iran, both our former Soviet Union

28
00:03:06,280 --> 00:03:12,000
republics. They gained independence after the
dissolution of the Soviet Union, and the

29
00:03:12,080 --> 00:03:17,400
conflict is around the Republic of Arts
are also known as Nagorno Karaba. It's

30
00:03:17,639 --> 00:03:23,199
a breakaway region in the South Caucasus, with a majority of population being Armenians,

31
00:03:23,439 --> 00:03:30,879
but internationally it's recognized as a part
of Azerbaijan. A land area which,

32
00:03:30,039 --> 00:03:38,120
despite being mostly Armenian, is almost
entirely encapsulated by Isaiahbaijan, so it's

33
00:03:38,280 --> 00:03:45,800
de facto is an enclave with Azerbaijan, and the only route from Armenia to

34
00:03:46,280 --> 00:03:53,520
Nagona Karba is through Latching Corridor,
which is currently under the Peacemaker's Russian Peacemakers

35
00:03:53,719 --> 00:04:02,639
control. This tiny little livery of
land is a primary locus of the years

36
00:04:02,680 --> 00:04:09,400
long conflict. The situation in Arta
is pretty tense. There are a lot

37
00:04:09,479 --> 00:04:14,800
of military conflicts there in the area
and all kinds of cease fire relations and

38
00:04:14,879 --> 00:04:20,399
sporadic violence. And this is the
conflict of that largely affects the relationship between

39
00:04:20,480 --> 00:04:27,639
the two countries for more than twenty
years. Tensions flared late last year when

40
00:04:27,720 --> 00:04:34,160
Azerbaijani citizens working for the Azerbaijani government
blocked off the Little Lashing Corridor, thereby

41
00:04:34,279 --> 00:04:42,480
disconnecting Artac from Armenia and the rest
of the world. Azerbaijanian side claims it

42
00:04:42,560 --> 00:04:48,879
is peaceful, Echo protests. Armenian
side claims there is the blockade by Azerbaijanians

43
00:04:48,959 --> 00:04:56,879
in order to cut the region from
the supplies. The stage protest at Lashing

44
00:04:57,399 --> 00:05:02,480
was very significant, but it wasn't
the only action taken by the Azerbaijani government

45
00:05:02,759 --> 00:05:13,480
at the time. In late November, one of the major banks in the

46
00:05:13,879 --> 00:05:19,240
region got a malicious email, art
Zach Bank, an Armenian bank with eleven

47
00:05:19,279 --> 00:05:26,879
branches in the disputed region. A
suspicious email delivered to art Zach Bank included

48
00:05:26,959 --> 00:05:33,319
a pf document for the Wikipedia page
of a man named Alexander Lapshin. Alexander

49
00:05:33,439 --> 00:05:43,920
Lapshin is Russian Israeli blogger. His
pro Armenian in a relation to the Armenians

50
00:05:44,040 --> 00:05:49,120
Reiginia conflict and he talks openly about
that. So in twenty sixteen he was

51
00:05:49,319 --> 00:05:58,079
detained in Belarus and was extradited to
Azerbaijan by the request from Azerbaijanian government,

52
00:05:58,959 --> 00:06:06,759
and there he was accused of visiting
the territory of Azerbaijan, which is Arza

53
00:06:08,439 --> 00:06:15,839
back in twenty eleven twenty twelve without
getting the permission from Azerbaijani authorities. Lapshin

54
00:06:15,160 --> 00:06:23,040
was sentenced to three years in an
Azerbaijani prison, and a few months after

55
00:06:23,519 --> 00:06:30,319
his detention as Erbijan, something happened. Azerbijinian side claims that it was a

56
00:06:30,360 --> 00:06:36,319
suicide attempt. Lapshin himself claims that
it was an attempt to kill him.

57
00:06:36,439 --> 00:06:42,040
So he was hospitalized and then a
few days later he was pardoned by the

58
00:06:42,079 --> 00:06:48,839
President of Zerbijan and sent back to
Israel. Then he started a court case

59
00:06:49,160 --> 00:06:56,279
against Azerbaijan in the European Court of
Human Rights. On May twenty, twenty

60
00:06:56,360 --> 00:07:00,480
twenty one, in the case of
Lapshin versus Azebeijan, the court ruled that

61
00:07:00,560 --> 00:07:08,199
Azerbaijani authorities violated Laphin's right to life
and ordered them to pay him thirty thousand

62
00:07:08,360 --> 00:07:17,279
euros. To celebrate his victory,
Laptin had a bit of fun. So

63
00:07:17,560 --> 00:07:23,959
the next day after this decision,
what he did is on his Facebook account

64
00:07:24,319 --> 00:07:30,959
he published a picture of a credit
card for the bank account that he opened

65
00:07:30,959 --> 00:07:35,959
specifically to get this money from the
Azerbaijanian government, and he kind of mocked

66
00:07:35,959 --> 00:07:47,879
the Azerbaijinian government by opening this account
in Artabank. Azerbaijan didn't take kindly to

67
00:07:48,120 --> 00:07:55,279
being trolled. This was the context
for a suspect PDF delivered to ARTSA Bank

68
00:07:55,639 --> 00:08:01,519
just a couple of weeks before the
blocade of the art SAC which so it's

69
00:08:01,600 --> 00:08:07,639
kind of pretty much nice way to
lure the employees of the banquet to open

70
00:08:09,120 --> 00:08:13,920
something that came with his name and
use it. The idea was that while

71
00:08:13,959 --> 00:08:20,920
the employee was only seeing debate quietly
in the background of their computer, a

72
00:08:20,959 --> 00:08:30,399
malicious backdoor was borrowing into the network. In August twenty twenty one, a

73
00:08:30,519 --> 00:08:35,519
month after a phishing campaign was deployed
against az a Baijanny activists, computer in

74
00:08:35,679 --> 00:08:43,639
Armenia uploaded a mailware sample to virus
Total website for detecting mailware in files and

75
00:08:43,000 --> 00:08:50,559
u r els. The file was
aptly named Report on the Azebaijanny Military Aggression

76
00:08:50,840 --> 00:08:56,440
Final Update twenty twenty one do SCR. Despite being a screen saver file,

77
00:08:56,759 --> 00:09:03,480
it was presented on screen with a
PDF icon. Upon execution, the file

78
00:09:03,559 --> 00:09:11,519
presented victims with a document titled quote
report on the Bay Johnny Aggression against Arzac,

79
00:09:11,840 --> 00:09:16,360
Nagono, Kabach and Armenia end quote. Evidently, in the months that

80
00:09:16,600 --> 00:09:24,759
passed between attacks, the hackers didn't
improve their spelling forgetting a G in aggression,

81
00:09:24,720 --> 00:09:31,159
but they clearly had improved in other
ways. The lure was more specific,

82
00:09:31,440 --> 00:09:35,879
more enticing to the particular kind of
target they were after compared with the

83
00:09:35,919 --> 00:09:43,159
more general Human Rights Watch invoice,
and the malware too was being iterated on.

84
00:09:43,159 --> 00:09:48,679
The first version of this malware was
used around July twenty twenty one,

85
00:09:48,000 --> 00:09:52,039
and it was much more simpler.
It had much less commands. It's basically

86
00:09:52,679 --> 00:09:58,639
knew just how to collect the recordings
and run additional commands. Then we've seen

87
00:09:58,639 --> 00:10:05,360
it once again in February twenty twenty
two, with much more advanced features like

88
00:10:05,679 --> 00:10:13,080
collecting the files in different ways February
twenty twenty two. This time the email

89
00:10:13,159 --> 00:10:20,559
pretended to come from the BBC and
required a password for decryption, a clever

90
00:10:20,679 --> 00:10:26,720
little adjustment since anti virus programs without
knowing the password to a file can't actually

91
00:10:26,799 --> 00:10:31,320
read and interpret whether they're safe or
not. The attackers were working on their

92
00:10:31,440 --> 00:10:37,360
tactics, techniques, and procedures for
over a year, probably two years,

93
00:10:37,600 --> 00:10:41,679
and we lead up to late twenty
twenty two, when, for at least

94
00:10:41,799 --> 00:10:46,679
the fourth time, and for the
very first time against a commercial organization they

95
00:10:46,879 --> 00:10:56,759
deployed their mailware. So we call
the smaller oxter rat oxta rat as in

96
00:10:56,039 --> 00:11:01,879
remote excess Trojan. Oxter Rat is
based on out to it a perfectly legitimate

97
00:11:03,000 --> 00:11:09,080
computer language for automating the Windows user
interface. It's a legitimate administrative tool in

98
00:11:09,159 --> 00:11:15,440
order to allow the ite administrators to
perform their tasks, but it's often abused

99
00:11:15,480 --> 00:11:22,639
by all kinds of malicious activities.
A decade ago, trend micro analyzed why

100
00:11:22,840 --> 00:11:26,799
so many hackers were choosing out to
it. As one expert explained, quote

101
00:11:28,200 --> 00:11:33,759
out too, it is scalable,
very similar to basic, and is outrageously

102
00:11:33,799 --> 00:11:37,279
easy to code. In will Hood
said, this ease of use takes the

103
00:11:37,360 --> 00:11:43,480
learning curve of learning more complex languages
such as Python. This opens up a

104
00:11:43,559 --> 00:11:50,000
wide array of possibilities to hackers that
may not otherwise expose themselves to a scripting

105
00:11:50,080 --> 00:11:56,519
language. In other words, out
to it can make your job easy if

106
00:11:56,600 --> 00:12:01,679
you're in a rush, maybe,
or if you're not particularly good hacker,

107
00:12:01,200 --> 00:12:07,919
like perhaps the folks behind oxterat,
I would say that technically it's not very

108
00:12:07,960 --> 00:12:16,200
complicated, but it works. Although
it's not some fancy, super stealthy thing,

109
00:12:16,360 --> 00:12:22,080
it does a job however simplistic it
might be, oxter Ret is nonetheless

110
00:12:22,200 --> 00:12:28,360
dangerous years in the making, with
many different types of components, which allows

111
00:12:28,759 --> 00:12:35,879
to run additional code on the machine, search and exfiltrate for different types of

112
00:12:35,000 --> 00:12:41,600
files and data on the machine,
to perform active surveillance activity by a recording

113
00:12:41,720 --> 00:12:50,799
video from a desktop from web camera, by performing screenshots, also installing additional

114
00:12:50,000 --> 00:12:58,360
software for remote access control such as
TITVNC, basically anything an attacker could imagine

115
00:12:58,639 --> 00:13:05,840
wanting to do a victim computer and
also to collect all different kinds of information

116
00:13:05,879 --> 00:13:11,720
about the machine itself, the processes, the drives, the system information,

117
00:13:11,320 --> 00:13:18,120
and also it allows to perform port
scunning and use this compromised machine in order

118
00:13:18,159 --> 00:13:26,000
to pivot inside the network. By
the time of their late twenty twenty two

119
00:13:26,000 --> 00:13:33,000
attack, the hackers had also improved
on their tactics for hiding Oxterret. First

120
00:13:33,039 --> 00:13:37,919
among them was out to it itself. Hackers like to use commercial software to

121
00:13:37,960 --> 00:13:45,679
trick computers into thinking that their behavior
is legitimate. These hackers used outoit to

122
00:13:45,879 --> 00:13:50,840
compile malicious code and run it as
seemingly legitimate automation on a Windows computer.

123
00:13:52,320 --> 00:14:00,240
Scireding anti virus engines along the way, and also the actors improved their sec

124
00:14:00,480 --> 00:14:05,639
They gat offense their servers, meaning
only those who come from the specific IP

125
00:14:05,799 --> 00:14:11,559
ranges. In our case, the
payloads were received only from IP addresses in

126
00:14:11,600 --> 00:14:16,840
Azerbajan and Erminia. Only those can
get the actual payload and be infected.

127
00:14:18,000 --> 00:14:22,159
This is done in order for researchers
not to find it easily and find it

128
00:14:22,440 --> 00:14:28,440
and revealed culpabilities easily. And lastly, in their efforts to evade detection,

129
00:14:28,320 --> 00:14:35,759
they did a small trick, perhaps
their most clever tactic. They hide the

130
00:14:35,279 --> 00:14:43,639
code in the image, like regular
PN image which is run by dogs encoding

131
00:14:43,759 --> 00:14:50,519
malware into an image file. These
types of files are called polyglot files,

132
00:14:50,960 --> 00:14:58,240
meaning they might be legitimate picture and
something else. So in this case,

133
00:14:58,600 --> 00:15:03,080
if you open this as a picture, let's say, with your picture editor,

134
00:15:03,759 --> 00:15:07,399
then you will see it as a
picture. But if you run it

135
00:15:07,480 --> 00:15:11,799
with the two that's supposed to run
it as a script, then it will

136
00:15:11,879 --> 00:15:18,080
run as a script. What's the
purpose of all this. It's probably done

137
00:15:18,120 --> 00:15:22,759
in order to hide the artifacts on
the machine from those who are going to

138
00:15:22,759 --> 00:15:26,000
investigate it later, because you will
just see in the file system an image

139
00:15:26,320 --> 00:15:30,679
and you won't even think that it's
somewhere inside of it. There is a

140
00:15:31,200 --> 00:15:35,759
script hidden, and it's hidden in
compiled forms, so even if you open

141
00:15:35,799 --> 00:15:39,240
it in text editor of then you
will just see a lot of gibberish that

142
00:15:39,480 --> 00:15:45,159
does make any sense. Oxter Rat
has many components to it, many mechanisms

143
00:15:45,200 --> 00:15:50,080
to prevent detection and functions to carry
out malicious deeds, but at the end

144
00:15:50,080 --> 00:15:56,480
of the day, its focus is
clear. The main intention of the smaller

145
00:15:56,960 --> 00:16:03,720
is just to sit patient and collect
all different kinds of the information. Multiple

146
00:16:03,840 --> 00:16:11,159
functions in this backdoor are actually related
to collecting the data in the most effective

147
00:16:11,200 --> 00:16:17,679
way possible, search for the data
on the machine with the many different kinds

148
00:16:17,679 --> 00:16:22,399
of tools, then compress it and
send it to the attack or control server.

149
00:16:23,879 --> 00:16:30,759
So if we talk about using this
malware incorporate environments, then it might

150
00:16:32,279 --> 00:16:38,480
lead to potential compromise of the customers
personal data, and then it can be

151
00:16:38,600 --> 00:16:44,639
used in order to facilitate any other
different kind of attack starting from social engineering

152
00:16:44,720 --> 00:16:51,440
to all kind of more advanced operations, or just lick their data to some

153
00:16:51,519 --> 00:16:59,559
other third parties. Ultimately, this
attack probably wasn't about gathering bank account numbers

154
00:16:59,679 --> 00:17:06,039
or rout consumer data. The hackers
were clearly politically motivated and likely wanted to

155
00:17:06,039 --> 00:17:14,079
attack certain specific people. When we
talk about the individuals, the effects of

156
00:17:14,640 --> 00:17:21,279
surveillance on them is much more serious. First, we've seen the cases when

157
00:17:21,319 --> 00:17:26,319
the usage of this malware eventually brought
to the destruction of the work of people

158
00:17:26,359 --> 00:17:30,839
who were targeted by that. For
example, when actors gain access to the

159
00:17:32,640 --> 00:17:37,160
journalists media social media accounts, then
they just deleted all their posts or basically

160
00:17:37,200 --> 00:17:45,160
just through into part of their work. Another thing is that surveillance operations usually

161
00:17:45,519 --> 00:17:52,480
not only involve the target itself themselves, but also all the people around them.

162
00:17:52,960 --> 00:17:56,400
So if you read the stories about
for example, Pegasus, the Israeli

163
00:17:56,720 --> 00:18:03,279
NSO group developed spyware used against activists, politicians, and others around the globe,

164
00:18:04,079 --> 00:18:07,839
you will hear the victims being a
shock that they found out that not

165
00:18:07,920 --> 00:18:12,000
only them were being targeted, but
also their relatives or their partners, and

166
00:18:12,519 --> 00:18:18,880
it's a little bit scary. Fortunately, at the end of our story,

167
00:18:19,440 --> 00:18:26,359
the employees of ARTSA Bank escaped compromise. But as our guest and her colleagues

168
00:18:26,440 --> 00:18:30,279
noted in a blog post quote,
due to the infrastructure revealed, we believe

169
00:18:30,440 --> 00:18:36,799
that there might have been other targets
of this campaign in Armenia as well.

170
00:18:37,519 --> 00:18:45,319
Exactly who else was targeted and whether
they fell into the attackers trap remains unknown,

171
00:18:45,079 --> 00:18:49,519
and based on the evidence of recent
years, we can only expect that

172
00:18:49,680 --> 00:18:56,799
these adversaries will be back again soon. Our goal as the security community is

173
00:18:57,640 --> 00:19:03,519
to make this world a little bit
better, So I think it's important to

174
00:19:04,039 --> 00:19:11,759
raise awareness of the text like this
because they affect individuals and their relatives,

175
00:19:11,200 --> 00:19:19,200
and we really hope that this research
will inspire also other vendors to talk more

176
00:19:19,279 --> 00:19:27,240
about this region, about this conflict
and what's going on there. That's it

177
00:19:27,400 --> 00:19:32,799
for this episode. Thank you for
listening. For past episodes, visit Checkpoints

178
00:19:32,799 --> 00:19:37,960
Research blog at research dot checkpoint dot
com, and you can follow Checkpoint Research

179
00:19:37,079 --> 00:19:41,799
on Twitter or follow me at Ryan
Levy. That's r A n l e

180
00:19:42,200 --> 00:19:48,279
v I. CEP Radio is produced
by PI Media, written by Nick Neilson,

181
00:19:48,480 --> 00:19:52,920
produced by Hila Shemish, and edited
and narrated by me Ran Levy.

182
00:19:52,279 --> 00:20:03,279
See you next episode. Bye bye,