WEBVTT

1
00:00:01.600 --> 00:00:12.599
Produced by PI Media July seventh,
twenty twenty one. According to secure hosting

2
00:00:12.640 --> 00:00:20.160
provider quarium Quote, several prominent human
rights and political activists in Azerbaijan end quote

3
00:00:20.440 --> 00:00:26.280
all received the same email, perpetrating
to come from the NGEO Human Rights Watch.

4
00:00:26.879 --> 00:00:33.039
The sender was maybe a little on
the nose human rights do invoicer at

5
00:00:33.200 --> 00:00:38.039
gmail dot com. The body of
the mail began quote, we present a

6
00:00:38.079 --> 00:00:45.000
new project for Azerbaijani political and human
right activists end quote. The message prompted

7
00:00:45.079 --> 00:00:51.119
targets to download an invoiced document,
which, upon being extracted, presented an

8
00:00:51.200 --> 00:00:58.280
error message unsupported Microsoft word version file
corrupted with an error number. If it

9
00:00:58.320 --> 00:01:04.879
weren't already obvious that this was an
attack, the multiple misspelled words like unsupported

10
00:01:04.920 --> 00:01:11.799
with two ohs and number without B
might have given it away. Any victim

11
00:01:11.920 --> 00:01:18.319
that reached this point had, perhaps
unbeknownst to them, downloaded malware to their

12
00:01:18.359 --> 00:01:25.079
computer, Malware with the ability to
remotely execute commands, steal or upload files,

13
00:01:25.120 --> 00:01:30.680
and record their screens or webcam feeds. Perhaps because the fishing was so

14
00:01:30.760 --> 00:01:37.840
simplistic enough activists cut on before they
got to that point. But this campaign

15
00:01:38.280 --> 00:01:42.879
was merely a harbinger of worse things
to come. High listeners, I'm rand

16
00:01:42.920 --> 00:01:57.200
Levy. Welcome to a somewhat unique
episode of CP Radio to give people some

17
00:01:57.239 --> 00:02:00.599
sense of the gravity of this situation
of why is it that we are distorting

18
00:02:00.640 --> 00:02:07.560
our voice for this episode. So
we're going to discuss sensitive topics that potentially

19
00:02:07.560 --> 00:02:15.479
involve nation state actors. So we
want to protect the identity of all the

20
00:02:15.680 --> 00:02:22.960
researchers that are involved in this.
We've covered nation state attacks plenty of times

21
00:02:23.000 --> 00:02:28.080
on this podcast. Perhaps some precaution
is warranted in this case. However,

22
00:02:28.479 --> 00:02:34.800
because of how commonly the individuals who
speak out on this conflict find themselves targeted

23
00:02:34.879 --> 00:02:42.120
for it. We're talking about a
highly charged environment. So the political context

24
00:02:42.280 --> 00:02:46.680
of the story we're going to talk
today about is based on the conflict,

25
00:02:47.000 --> 00:02:53.719
which is not a very known outside
the region. It at all involves Azerbaijan

26
00:02:53.879 --> 00:03:00.400
and Armenia, the two countries in
South Caucuses between the Caspian and Black Sees,

27
00:03:00.759 --> 00:03:06.199
just east of Turkey and north of
Iran, both our former Soviet Union

28
00:03:06.280 --> 00:03:12.000
republics. They gained independence after the
dissolution of the Soviet Union, and the

29
00:03:12.080 --> 00:03:17.400
conflict is around the Republic of Arts
are also known as Nagorno Karaba. It's

30
00:03:17.639 --> 00:03:23.199
a breakaway region in the South Caucasus, with a majority of population being Armenians,

31
00:03:23.439 --> 00:03:30.879
but internationally it's recognized as a part
of Azerbaijan. A land area which,

32
00:03:30.039 --> 00:03:38.120
despite being mostly Armenian, is almost
entirely encapsulated by Isaiahbaijan, so it's

33
00:03:38.280 --> 00:03:45.800
de facto is an enclave with Azerbaijan, and the only route from Armenia to

34
00:03:46.280 --> 00:03:53.520
Nagona Karba is through Latching Corridor,
which is currently under the Peacemaker's Russian Peacemakers

35
00:03:53.719 --> 00:04:02.639
control. This tiny little livery of
land is a primary locus of the years

36
00:04:02.680 --> 00:04:09.400
long conflict. The situation in Arta
is pretty tense. There are a lot

37
00:04:09.479 --> 00:04:14.800
of military conflicts there in the area
and all kinds of cease fire relations and

38
00:04:14.879 --> 00:04:20.399
sporadic violence. And this is the
conflict of that largely affects the relationship between

39
00:04:20.480 --> 00:04:27.639
the two countries for more than twenty
years. Tensions flared late last year when

40
00:04:27.720 --> 00:04:34.160
Azerbaijani citizens working for the Azerbaijani government
blocked off the Little Lashing Corridor, thereby

41
00:04:34.279 --> 00:04:42.480
disconnecting Artac from Armenia and the rest
of the world. Azerbaijanian side claims it

42
00:04:42.560 --> 00:04:48.879
is peaceful, Echo protests. Armenian
side claims there is the blockade by Azerbaijanians

43
00:04:48.959 --> 00:04:56.879
in order to cut the region from
the supplies. The stage protest at Lashing

44
00:04:57.399 --> 00:05:02.480
was very significant, but it wasn't
the only action taken by the Azerbaijani government

45
00:05:02.759 --> 00:05:13.480
at the time. In late November, one of the major banks in the

46
00:05:13.879 --> 00:05:19.240
region got a malicious email, art
Zach Bank, an Armenian bank with eleven

47
00:05:19.279 --> 00:05:26.879
branches in the disputed region. A
suspicious email delivered to art Zach Bank included

48
00:05:26.959 --> 00:05:33.319
a pf document for the Wikipedia page
of a man named Alexander Lapshin. Alexander

49
00:05:33.439 --> 00:05:43.920
Lapshin is Russian Israeli blogger. His
pro Armenian in a relation to the Armenians

50
00:05:44.040 --> 00:05:49.120
Reiginia conflict and he talks openly about
that. So in twenty sixteen he was

51
00:05:49.319 --> 00:05:58.079
detained in Belarus and was extradited to
Azerbaijan by the request from Azerbaijanian government,

52
00:05:58.959 --> 00:06:06.759
and there he was accused of visiting
the territory of Azerbaijan, which is Arza

53
00:06:08.439 --> 00:06:15.839
back in twenty eleven twenty twelve without
getting the permission from Azerbaijani authorities. Lapshin

54
00:06:15.160 --> 00:06:23.040
was sentenced to three years in an
Azerbaijani prison, and a few months after

55
00:06:23.519 --> 00:06:30.319
his detention as Erbijan, something happened. Azerbijinian side claims that it was a

56
00:06:30.360 --> 00:06:36.319
suicide attempt. Lapshin himself claims that
it was an attempt to kill him.

57
00:06:36.439 --> 00:06:42.040
So he was hospitalized and then a
few days later he was pardoned by the

58
00:06:42.079 --> 00:06:48.839
President of Zerbijan and sent back to
Israel. Then he started a court case

59
00:06:49.160 --> 00:06:56.279
against Azerbaijan in the European Court of
Human Rights. On May twenty, twenty

60
00:06:56.360 --> 00:07:00.480
twenty one, in the case of
Lapshin versus Azebeijan, the court ruled that

61
00:07:00.560 --> 00:07:08.199
Azerbaijani authorities violated Laphin's right to life
and ordered them to pay him thirty thousand

62
00:07:08.360 --> 00:07:17.279
euros. To celebrate his victory,
Laptin had a bit of fun. So

63
00:07:17.560 --> 00:07:23.959
the next day after this decision,
what he did is on his Facebook account

64
00:07:24.319 --> 00:07:30.959
he published a picture of a credit
card for the bank account that he opened

65
00:07:30.959 --> 00:07:35.959
specifically to get this money from the
Azerbaijanian government, and he kind of mocked

66
00:07:35.959 --> 00:07:47.879
the Azerbaijinian government by opening this account
in Artabank. Azerbaijan didn't take kindly to

67
00:07:48.120 --> 00:07:55.279
being trolled. This was the context
for a suspect PDF delivered to ARTSA Bank

68
00:07:55.639 --> 00:08:01.519
just a couple of weeks before the
blocade of the art SAC which so it's

69
00:08:01.600 --> 00:08:07.639
kind of pretty much nice way to
lure the employees of the banquet to open

70
00:08:09.120 --> 00:08:13.920
something that came with his name and
use it. The idea was that while

71
00:08:13.959 --> 00:08:20.920
the employee was only seeing debate quietly
in the background of their computer, a

72
00:08:20.959 --> 00:08:30.399
malicious backdoor was borrowing into the network. In August twenty twenty one, a

73
00:08:30.519 --> 00:08:35.519
month after a phishing campaign was deployed
against az a Baijanny activists, computer in

74
00:08:35.679 --> 00:08:43.639
Armenia uploaded a mailware sample to virus
Total website for detecting mailware in files and

75
00:08:43.000 --> 00:08:50.559
u r els. The file was
aptly named Report on the Azebaijanny Military Aggression

76
00:08:50.840 --> 00:08:56.440
Final Update twenty twenty one do SCR. Despite being a screen saver file,

77
00:08:56.759 --> 00:09:03.480
it was presented on screen with a
PDF icon. Upon execution, the file

78
00:09:03.559 --> 00:09:11.519
presented victims with a document titled quote
report on the Bay Johnny Aggression against Arzac,

79
00:09:11.840 --> 00:09:16.360
Nagono, Kabach and Armenia end quote. Evidently, in the months that

80
00:09:16.600 --> 00:09:24.759
passed between attacks, the hackers didn't
improve their spelling forgetting a G in aggression,

81
00:09:24.720 --> 00:09:31.159
but they clearly had improved in other
ways. The lure was more specific,

82
00:09:31.440 --> 00:09:35.879
more enticing to the particular kind of
target they were after compared with the

83
00:09:35.919 --> 00:09:43.159
more general Human Rights Watch invoice,
and the malware too was being iterated on.

84
00:09:43.159 --> 00:09:48.679
The first version of this malware was
used around July twenty twenty one,

85
00:09:48.000 --> 00:09:52.039
and it was much more simpler.
It had much less commands. It's basically

86
00:09:52.679 --> 00:09:58.639
knew just how to collect the recordings
and run additional commands. Then we've seen

87
00:09:58.639 --> 00:10:05.360
it once again in February twenty twenty
two, with much more advanced features like

88
00:10:05.679 --> 00:10:13.080
collecting the files in different ways February
twenty twenty two. This time the email

89
00:10:13.159 --> 00:10:20.559
pretended to come from the BBC and
required a password for decryption, a clever

90
00:10:20.679 --> 00:10:26.720
little adjustment since anti virus programs without
knowing the password to a file can't actually

91
00:10:26.799 --> 00:10:31.320
read and interpret whether they're safe or
not. The attackers were working on their

92
00:10:31.440 --> 00:10:37.360
tactics, techniques, and procedures for
over a year, probably two years,

93
00:10:37.600 --> 00:10:41.679
and we lead up to late twenty
twenty two, when, for at least

94
00:10:41.799 --> 00:10:46.679
the fourth time, and for the
very first time against a commercial organization they

95
00:10:46.879 --> 00:10:56.759
deployed their mailware. So we call
the smaller oxter rat oxta rat as in

96
00:10:56.039 --> 00:11:01.879
remote excess Trojan. Oxter Rat is
based on out to it a perfectly legitimate

97
00:11:03.000 --> 00:11:09.080
computer language for automating the Windows user
interface. It's a legitimate administrative tool in

98
00:11:09.159 --> 00:11:15.440
order to allow the ite administrators to
perform their tasks, but it's often abused

99
00:11:15.480 --> 00:11:22.639
by all kinds of malicious activities.
A decade ago, trend micro analyzed why

100
00:11:22.840 --> 00:11:26.799
so many hackers were choosing out to
it. As one expert explained, quote

101
00:11:28.200 --> 00:11:33.759
out too, it is scalable,
very similar to basic, and is outrageously

102
00:11:33.799 --> 00:11:37.279
easy to code. In will Hood
said, this ease of use takes the

103
00:11:37.360 --> 00:11:43.480
learning curve of learning more complex languages
such as Python. This opens up a

104
00:11:43.559 --> 00:11:50.000
wide array of possibilities to hackers that
may not otherwise expose themselves to a scripting

105
00:11:50.080 --> 00:11:56.519
language. In other words, out
to it can make your job easy if

106
00:11:56.600 --> 00:12:01.679
you're in a rush, maybe,
or if you're not particularly good hacker,

107
00:12:01.200 --> 00:12:07.919
like perhaps the folks behind oxterat,
I would say that technically it's not very

108
00:12:07.960 --> 00:12:16.200
complicated, but it works. Although
it's not some fancy, super stealthy thing,

109
00:12:16.360 --> 00:12:22.080
it does a job however simplistic it
might be, oxter Ret is nonetheless

110
00:12:22.200 --> 00:12:28.360
dangerous years in the making, with
many different types of components, which allows

111
00:12:28.759 --> 00:12:35.879
to run additional code on the machine, search and exfiltrate for different types of

112
00:12:35.000 --> 00:12:41.600
files and data on the machine,
to perform active surveillance activity by a recording

113
00:12:41.720 --> 00:12:50.799
video from a desktop from web camera, by performing screenshots, also installing additional

114
00:12:50.000 --> 00:12:58.360
software for remote access control such as
TITVNC, basically anything an attacker could imagine

115
00:12:58.639 --> 00:13:05.840
wanting to do a victim computer and
also to collect all different kinds of information

116
00:13:05.879 --> 00:13:11.720
about the machine itself, the processes, the drives, the system information,

117
00:13:11.320 --> 00:13:18.120
and also it allows to perform port
scunning and use this compromised machine in order

118
00:13:18.159 --> 00:13:26.000
to pivot inside the network. By
the time of their late twenty twenty two

119
00:13:26.000 --> 00:13:33.000
attack, the hackers had also improved
on their tactics for hiding Oxterret. First

120
00:13:33.039 --> 00:13:37.919
among them was out to it itself. Hackers like to use commercial software to

121
00:13:37.960 --> 00:13:45.679
trick computers into thinking that their behavior
is legitimate. These hackers used outoit to

122
00:13:45.879 --> 00:13:50.840
compile malicious code and run it as
seemingly legitimate automation on a Windows computer.

123
00:13:52.320 --> 00:14:00.240
Scireding anti virus engines along the way, and also the actors improved their sec

124
00:14:00.480 --> 00:14:05.639
They gat offense their servers, meaning
only those who come from the specific IP

125
00:14:05.799 --> 00:14:11.559
ranges. In our case, the
payloads were received only from IP addresses in

126
00:14:11.600 --> 00:14:16.840
Azerbajan and Erminia. Only those can
get the actual payload and be infected.

127
00:14:18.000 --> 00:14:22.159
This is done in order for researchers
not to find it easily and find it

128
00:14:22.440 --> 00:14:28.440
and revealed culpabilities easily. And lastly, in their efforts to evade detection,

129
00:14:28.320 --> 00:14:35.759
they did a small trick, perhaps
their most clever tactic. They hide the

130
00:14:35.279 --> 00:14:43.639
code in the image, like regular
PN image which is run by dogs encoding

131
00:14:43.759 --> 00:14:50.519
malware into an image file. These
types of files are called polyglot files,

132
00:14:50.960 --> 00:14:58.240
meaning they might be legitimate picture and
something else. So in this case,

133
00:14:58.600 --> 00:15:03.080
if you open this as a picture, let's say, with your picture editor,

134
00:15:03.759 --> 00:15:07.399
then you will see it as a
picture. But if you run it

135
00:15:07.480 --> 00:15:11.799
with the two that's supposed to run
it as a script, then it will

136
00:15:11.879 --> 00:15:18.080
run as a script. What's the
purpose of all this. It's probably done

137
00:15:18.120 --> 00:15:22.759
in order to hide the artifacts on
the machine from those who are going to

138
00:15:22.759 --> 00:15:26.000
investigate it later, because you will
just see in the file system an image

139
00:15:26.320 --> 00:15:30.679
and you won't even think that it's
somewhere inside of it. There is a

140
00:15:31.200 --> 00:15:35.759
script hidden, and it's hidden in
compiled forms, so even if you open

141
00:15:35.799 --> 00:15:39.240
it in text editor of then you
will just see a lot of gibberish that

142
00:15:39.480 --> 00:15:45.159
does make any sense. Oxter Rat
has many components to it, many mechanisms

143
00:15:45.200 --> 00:15:50.080
to prevent detection and functions to carry
out malicious deeds, but at the end

144
00:15:50.080 --> 00:15:56.480
of the day, its focus is
clear. The main intention of the smaller

145
00:15:56.960 --> 00:16:03.720
is just to sit patient and collect
all different kinds of the information. Multiple

146
00:16:03.840 --> 00:16:11.159
functions in this backdoor are actually related
to collecting the data in the most effective

147
00:16:11.200 --> 00:16:17.679
way possible, search for the data
on the machine with the many different kinds

148
00:16:17.679 --> 00:16:22.399
of tools, then compress it and
send it to the attack or control server.

149
00:16:23.879 --> 00:16:30.759
So if we talk about using this
malware incorporate environments, then it might

150
00:16:32.279 --> 00:16:38.480
lead to potential compromise of the customers
personal data, and then it can be

151
00:16:38.600 --> 00:16:44.639
used in order to facilitate any other
different kind of attack starting from social engineering

152
00:16:44.720 --> 00:16:51.440
to all kind of more advanced operations, or just lick their data to some

153
00:16:51.519 --> 00:16:59.559
other third parties. Ultimately, this
attack probably wasn't about gathering bank account numbers

154
00:16:59.679 --> 00:17:06.039
or rout consumer data. The hackers
were clearly politically motivated and likely wanted to

155
00:17:06.039 --> 00:17:14.079
attack certain specific people. When we
talk about the individuals, the effects of

156
00:17:14.640 --> 00:17:21.279
surveillance on them is much more serious. First, we've seen the cases when

157
00:17:21.319 --> 00:17:26.319
the usage of this malware eventually brought
to the destruction of the work of people

158
00:17:26.359 --> 00:17:30.839
who were targeted by that. For
example, when actors gain access to the

159
00:17:32.640 --> 00:17:37.160
journalists media social media accounts, then
they just deleted all their posts or basically

160
00:17:37.200 --> 00:17:45.160
just through into part of their work. Another thing is that surveillance operations usually

161
00:17:45.519 --> 00:17:52.480
not only involve the target itself themselves, but also all the people around them.

162
00:17:52.960 --> 00:17:56.400
So if you read the stories about
for example, Pegasus, the Israeli

163
00:17:56.720 --> 00:18:03.279
NSO group developed spyware used against activists, politicians, and others around the globe,

164
00:18:04.079 --> 00:18:07.839
you will hear the victims being a
shock that they found out that not

165
00:18:07.920 --> 00:18:12.000
only them were being targeted, but
also their relatives or their partners, and

166
00:18:12.519 --> 00:18:18.880
it's a little bit scary. Fortunately, at the end of our story,

167
00:18:19.440 --> 00:18:26.359
the employees of ARTSA Bank escaped compromise. But as our guest and her colleagues

168
00:18:26.440 --> 00:18:30.279
noted in a blog post quote,
due to the infrastructure revealed, we believe

169
00:18:30.440 --> 00:18:36.799
that there might have been other targets
of this campaign in Armenia as well.

170
00:18:37.519 --> 00:18:45.319
Exactly who else was targeted and whether
they fell into the attackers trap remains unknown,

171
00:18:45.079 --> 00:18:49.519
and based on the evidence of recent
years, we can only expect that

172
00:18:49.680 --> 00:18:56.799
these adversaries will be back again soon. Our goal as the security community is

173
00:18:57.640 --> 00:19:03.519
to make this world a little bit
better, So I think it's important to

174
00:19:04.039 --> 00:19:11.759
raise awareness of the text like this
because they affect individuals and their relatives,

175
00:19:11.200 --> 00:19:19.200
and we really hope that this research
will inspire also other vendors to talk more

176
00:19:19.279 --> 00:19:27.240
about this region, about this conflict
and what's going on there. That's it

177
00:19:27.400 --> 00:19:32.799
for this episode. Thank you for
listening. For past episodes, visit Checkpoints

178
00:19:32.799 --> 00:19:37.960
Research blog at research dot checkpoint dot
com, and you can follow Checkpoint Research

179
00:19:37.079 --> 00:19:41.799
on Twitter or follow me at Ryan
Levy. That's r A n l e

180
00:19:42.200 --> 00:19:48.279
v I. CEP Radio is produced
by PI Media, written by Nick Neilson,

181
00:19:48.480 --> 00:19:52.920
produced by Hila Shemish, and edited
and narrated by me Ran Levy.

182
00:19:52.279 --> 00:20:03.279
See you next episode. Bye bye,