Armenian Entities Targeted by Sophisticated OxtaRAT Spying Tool in Cyber Attack

Armenian Entities Targeted by Spying Tool in Cyber Attack Armenian Entities Targeted by Spying Tool in Cyber Attack Mid Journey and PC World Online Magazine

Armenian entities have been targeted by OxtaRAT, a backdoor malware that allows remote access and desktop surveillance, with more advanced capabilities.

Armenian entities have fallen victim to a new version of OxtaRAT, a spying tool used by threat actors to gain remote access and monitor desktop activities. This updated version allows for a range of capabilities, such as exfiltrating files, recording videos from web cameras and desktops, remotely controlling machines with TightVNC, and more. Check Point Research has reported that the recent cyber-attacks started in November 2022, and it is the first time that the perpetrators have targeted Armenia. Previous targets were limited to Azerbaijan, where they attacked human rights organizations, dissidents, and independent media over several years.

The latest intrusion is notable due to the changes in the infection chain, improved operational security, and additional features of the backdoor. The attack starts with a self-extracting archive that appears as a PDF file, but in reality, it conceals malicious code inside an image. OxtaRAT, a polyglot file, combines compiled AutoIT scripts and images, allowing threat actors to run commands, gather sensitive information, perform surveillance through web cameras, and pivot to other devices. The tool has been in use since June 2021, but the functionality was significantly reduced. This indicates a continuous effort by the perpetrators to improve their toolset and transform it into an all-purpose malware tool.

The November 2022 attack is notable for several reasons. The.SCR files that trigger the kill chain already contain the OxtaRAT implant, eliminating the need to download the malware from a command-and-control (C&C) server. Additionally, the geofencing of the C2 domains, which host auxiliary tools, is limited to Armenian IP addresses. Furthermore, OxtaRAT can run commands for port scanning and testing internet speed, which helps in hiding the extensive data exfiltration.

Check Point suggests that the perpetrators might be moving from social engineering to infrastructure-based attacks or targeting corporate environments. The actors behind the attack have been using AutoIT-based malware for seven years and are continuously evolving their tactics. It is essential to exercise caution while opening files and ensure that computer security is up to date to prevent such attacks.

Rate this item
(0 votes)
K Dinesh Kumara

Founder of PC World Online Magazine

I'm an educator, entrepreneur, and career guidance officer. I'm interested in ICT, psychology, financial literacy, meditation, and yogic sciences. My hobbies are discovering, learning, experiencing, sharing, and exiling.

Leave a comment

Attention readers: Starting from 15-05-2023, we will be reviewing all comments submitted through our website's comment section before publishing them. This change is due to the increased volume of spam comments we have been receiving. We appreciate your understanding and apologize for any delays this may cause. Thank you for your continued support and valuable contributions to our platform.

Dear valued users,

We welcome you to the PC World Magazine Website and appreciate your interest in commenting on our articles. This platform is intended for thoughtful discussions and exchanging ideas and information related to the topic of the article. However, please be mindful that we do not tolerate any illegal activities or marketing purposes. Misusing the comment section for such purposes will result in the immediate removal of the comment and could result in the termination of your account. We ask that you keep your comments respectful, on-topic, and relevant to the article. Additionally, please do not post personal information, hate speech, or offensive content. Thank you for your cooperation in creating a positive and productive environment for all users on the PC World Magazine Website.

Best regards,
PC World Magazine Team

The Technology Video of The Day

Email Newsletter Subscription

Fill out the subscription form by providing your email address and name. Click on the "Subscribe" button to complete the process.


Receive HTML?

Thank you for choosing to stay updated with our latest news and offerings!
Joomla Extensions powered by Joobi

Articles Calendar

« December 2023 »
Mon Tue Wed Thu Fri Sat Sun
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31

Articles Archive

Go to top