As heavy clashes between Armenian and Azerbaijan forces over Nagorno-Karabakh, an ethnic Armenian region in Azerbaijan, continue to evolve, hackers also do not sit back quietly launching new campaigns against the Azerbaijan public sector and other important organizations.
In the recent weeks, researchers have spotted efforts to compromise Azerbaijani government IT networks and access the diplomatic passports of certain officials.
According to Cisco’s Talos threat intelligence unit that detected and detailed the recent campaign, the operators behind it have used new versions of the PoetRAT malware, which previously has been seen in cyber attacks against the Azerbaijan government and the country’s energy sector. The researchers did not reveal who is behind the observed campaign only calling the activity “espionage with national security implications” carried out by a group “with a specific interest in various Azerbaijani government departments.”
Talos first exposed this cyber espionage group in April 2020. The name of the group’s hacking tool, PoetRAT, comes from literary references found in the code, and while previous versions of the malware mentioned the English playwright William Shakespeare, the new variants include allusions to Russian writer Fyodor Dostoevsky.
As for the infection vector used by the group, the Talos team says the threat actor compromises victims via spear phishing campaigns that deliver weaponized MS Word documents with malicious macros, which downloads additional payloads depending on a target.
“Previous versions of PoetRAT deployed a Python interpreter to execute the included source code which resulted in a much larger file size compared to the latest version's switch to Lua script,” the researchers said.
In this recent campaign, the threat actor used a fake Azerbaijani government document referencing to a decree signed by the President of the Republic of Azerbaijan about partial mobilization of reserve soldiers in the country.
“With recent geopolitical events in Azerbaijan, it is fair to expect some cyber attacks. The PoetRAT malware was used against this country a few months ago and new campaigns from this threat actor appeared after the armed conflict,” the researchers said.
”The malware slightly evolved since our previous publication. The developer implemented a new exfiltration protocol to hide its activities. There's also additional obfuscation to avoid detection based on strings or signatures,” they added.