This blog post was authored by Hossein Jazi

Threat actors often vary their techniques to thwart security defenses and increase the efficiency of their attacks. One of the tricks they use is known as steganography and consists of hiding content within images.

We recently observed a malicious Word file that uses this technique to drop a Remote Administration Trojan (RAT) that was new to us. Based on the decoy document, we assess that this attack is targeting the government and military of Azerbaijan.

Since April 2020 attackers have been taking advantage of the tensions between Azerbaijan and Armenia to target Azerbaijanis. Researchers found several actors that have exploited this conflict via phishing lures to drop AgentTesla and PoetRat. While AgentTesla has been distributed globally through different spam campaigns, PoetRat has been used specifically to target Azerbaijanis.

It seems the document we analyze in this blog has no connection with PoetRat for several reasons: The PoetRat actor has not used steganography in its malicious documents and used Python and Lua variants while the actor we analyzed has dropped a .Net rat called Fairfax which does not seem to be a .Net variant of PoetRat.

Maldoc analysis

The document lure is written in Azerbaijani and talks about a “National Security and Scientific” conference that will be held in Azerbaijan in 2021.

Figure 1: Maldoc lure content

The malicious document contains a macro that is obfuscated. The attacker has inserted random characters within the meaningful names to obfuscate the functions and variables names. Here are some of the examples:

  • AddArg_OACZT_20210214_115603_xokkn_uments29 -> AddArguments29
  • zixokknpPath -> zipPath
  • tesOACZTtcustomdirabcdefghijklmnopqrstuvwxyzect_OACZT_20210214_115603_xokkn_ory -> testcustomdirectory

After deobfuscation, the names become clear and can easily figure out the intent of the macro.

Figure 2: Macro after deobfuscation

The attacker also used another layer of obfuscation to encode strings. Function “MyFunc23” has been defined for this purpose. This function receives an array of numbers and decodes them into a string.

This function has a loop that reads four numbers of the input array in each iteration and passes them to another function to convert them to a character. At the end it concatenates those characters to build the final string.

Figure 3: decoder function

The convertor function defines a big switch statement that returned the character equivalent of each 4 numbers.

Figure 4: Convertor function

Upon opening the document and enabling the content the macro will be executed. At first it defines the following files and directories:

  • zipPath: Directory that stores the extracted zip file from png image
  • appFolder: directory that stores the Rat
  • runner: path of the batch file which executes the Rat
  • docxPath: path of the file that keeps a copy of the current document
  • docxCopyPath: Path of the zip format of the copied document
  • docxUnzipFolder: Directory that contains the document after being unzipped
Figure 5: Define names

Then, it tries to create the appFolder directory and if it could not create the directory it exits. After creating the directory, it copies itself in a new format to the file path defined before. The reason it copies itself in a new format is because the current document is protected and even after unzipping its content the macro will not be able to find the image to extract the zip file.

Figure 6: Creates a copy of itself

To create a copy of itself, It uses “SaveAs2” function that saves the specified document with a new name or format. The string “wdFormatDocumentDefault” has been passed in as a file format parameter which saves the document as DOCX format. In this way the macro can see the image that has embedded zip file.

Figure 7: Save as function

In the next step, it extracts the created document copy into the created folder and calls “ExtractFromPng” function to extract the embedded object from the png file. This function calls itself recursively to read all chunk identifications within the png image until it reaches the “puNk” chunk identification which is the chunk that has the embedded zip file. After finding the chunk, it extracts and writes it into “fairfax.zip”.

Figure out 8: Extract zip file from png
Figure 9: Chunk identification

The “fairfax.zip” is then extracted into %APPDATA%\vstelmetry directory. It contains the an executable file (Fairfax.exe) as well as a batch file (runner.bat). The executable has been written in Visual Studio and it seems the attacker archived the whole Visual Studio project.

Figure 10: Fairfax directory

At the end it performs some dummy functions and then executes runner.bat to execute fairfax.exe.

Figure 11: Execute runner.bat

FairFax.exe:

This is a .Net RAT that has been developed using TAP model (Task Asynchronous Programming model). This model provides an abstraction over asynchronous code. In this model each functionality can be defined as a Task and will be executed based on the external resource allocation and when other tasks complete.

Figure 12: Main

This RAT is not obfuscated and contains three main functionalities:

  • Download files
  • Upload files
  • Take screenshots
Figure 13: Main functionalities

All the configurations have been stored in Global settings including appfoldername, vbfilename, host address, scheduled task info, vbfile content, and cipherkey.

Figure 14: Global settings

All the communications with the server are AES encrypted and base64 encoded.

Figure 15: Decryption function
Figure 16: Encryption Function

For network communications it has defined four different tasks to send and receive files and commands: SendFileAsync, SendAsync, ReceiveAsync and ReceiveFileAsync.

Figure 17: Network communications

To manage the files, it has FileManager class that can get the file and save into a temp directory and also zip files.

Figure 18: File manager

It also has the capability to make itself persistent by creating a vbsfile and adding it to Scheduled Tasks.

Figure 19: Scheduled task

Conclusion

Threat actors use many techniques to subvert analysis and detection; in this blog post we examined a group employing the less common technique of steganography, in which the actor hides a malicious payload within an image.

Due the geopolitical events happening between Azerbaijan and Armenia, digital attacks against these countries have increased in the past year. Cisco Talos reported a new RAT named PoetRAT which was also used to target Azerbaijan, though differences in the sample analyzed in this post suggest this RAT is not related. Malwarebytes analysts will continue to track this activity, and report on any new findings related to this threat.

IOCs

File NameSHA256
telebler.docef02527858797356c5e8571c5a22d00c481fbc9ce73c81a341d482ea3776878a
Fairfax.zip4ad451a1c07d1760a0586c3c5132a68539d98198c402f4fc2b42b954ea9f76d7
auroraXXXX.zip
auroraXXXX.docx
0573926b05c34af23c7003cc0a30cfc682335f7e787958f9be7e6804edacd0a1
image1.pngf33db9011c69e6f4b13c765f77466de023f442d8a75bce8ab450f4978275671a
runner.bat909a94451d2640f89ec25aebcede14f238ead06b94f28544a99f4ecc2411b3b5
Fairfax.exeab0f4d290f3d4532896dea80563e342c825b12e0111c2d54eac62b1b942b854b
Fairfax.exe69e880b0545330b8e6d1543c47d89b4907fb79899b40c2478c591225ffc551ce

C2:
vnedoprym.kozow[.]com
111.90.150[.]37

MITRE ATT&CK Techniques

TacticIdNameDetails
Initial AccessT1566PhishingDistributing maldocs through phishing emails
ExecutionT1059.003Windows command shellStarts CMD.EXE for commands execution
T1064ScriptingExecuting FairFax.exe using batch file
 T1059.001PowerShellExecutes PowerShell scripts
T1204.002User ExecutionManual execution by user
PersistenceT1053.005Scheduled TaskUses Task Scheduler for persistence
Defense EvasionT1140Deobfuscate/Decode Files or InformationThe RAT has the ability to decode base
64 data and decrypt AES encrypted data
ColletionT1113Screen CaptureThe RAT has the ability to capture the screen
T1560.001Archive Collected Data: Archive via UtilityThe RAT archived files using zip utility
Command and ControlT1071.001Application Layer Protocol: Web ProtocolsUsing HTTPS for C2 communications
T1132.001Data Encoding: Standard EncodingC2 traffic are base64 encoded and AES encrypted
ExfiltrationT1041Exfiltration Over C2 ChannelExfiltrates the data over C2