Security researchers from Cisco Talos have reported about a malware campaign, in which attackers secretly hacked IT systems of the Azerbaijan government and stole data from passports of some officials.
Cyber espionage often coincides with the intensification of hostilities. Days after the Azerbaijani president called for the mobilization of reserve soldiers, hackers used a fake government document on the same topic as bait in their attacks.Malicious code embedded in a document is capable of stealing data from a compromised computer and providing hackers with constant access to the device.
Experts discovered the spy group in April this year. The criminals’ malware was nameds PoetRAT because the code was full of literary references.
In previous campaigns, the malicious document downloaded the Python interpreter and the PoetRAT malware, which used pyminifier to obfuscate the Python script and prevent detection based on string or YARA rules.
Now the new version of the malware creates a ZIP file on the target system and executes the Lua script in this archive. The archive contains the Lua payload and luajit (the Lua interpreter for Windows). The script downloads and executes additional payload.
Talos experts did not say who was responsible for the cyber attacks and how many Azerbaijani government officials were affected.
But it is reported that given the recent geopolitical events in Azerbaijan, cyber attacks can be expected. The PoetRAT malware was used against this country a few months ago, and new campaigns from this attacker emerged after the armed conflict.
Latest Evolution PoetRAT showcased the evolution from Python to Lua.
Let me remind you that we talked about how Russian hackers tried to steal COVID-19 research data, and also, according to Microsoft, attacked anti-doping agencies.
