Attacks on Azerbaijan Businesses Drop Malware via Fake Image Files

Images purporting to be of the Armenia and Azerbaijan conflict were malware downloaders in disguise.

A spear-phishing email posing as a memo from the president of an Azerbaijan company hid malware behind images to infiltrate businesses associated with the firm.
According to
research from Fortinet
, the emails cited the conflict between Azerbaijan and Armenia and contained a zip file. The photos in that file contained both genuine and malicious content.
The victims were management teams of businesses associated with the Azerbaijanian company, according to Fortinet. Fortinet senior security engineer Fred Gutierrez, who declined to name the spoofed firm, says other businesses hit with the campaign included subsidiaries of the company as well as its business partners.
The email claims to contain information about a border clash between soldiers from Azerbaijan and Armenia, and included an
obfuscated link via HTML smuggling
, which displays four images, one of which is actually a LNK file that downloads the malware.
Opening the email is enough to begin the infection chain, Gutierrez says. It will automatically download a zip file — that contained the images — to the users computer. HTML smuggling requires the user to perform an action to actually become fully infected. In this case, the user would have to manually type in the password to open the zip file and then launch the corresponding file inside.
The password is included in the text of the email, he adds.
HTML smuggling
occurs when JavaScript automatically downloads a zip file to the victims computer once the email is opened; at that point, the user is notified that the zip file has been downloaded. Theres no option to decline or accept the download.
Once the user opens the downloaded zip file and enters a password that opens the fake image, the installer is downloaded.
This malware is programmed in the increasingly popular
Rust
language.
The malware creates a temporary file named 24rp.xml that sets a scheduled task to steal the information outside of regular office hours. Researchers claim the malware can sleep for random amounts of time when performing its tasks. This technique assumes that the intended targets leave their computers on overnight so the malware can execute outside regular office hours, when it is less likely to be noticed.
The malware culls basic computer information and sends it to a command-and-control (C2) server. Gutierrez says the malware only looks for basic information, including the privileges and permissions of the victims, system configuration, applications running, network configuration, and a list of user accounts.
The nature of the information suggests this is either a red-teaming exercise or, more likely, the next step in the reconnaissance phase of a targeted attack, he says.
To defend against this type of attack, Fortinet recommends learning the signs of phishing, whether it comes in the form of an email or a webpage such as in a
watering hole attack
. Gutierrez also recommends users avoid opening unknown files, using anti-malware programs and services, as well as reporting any strange files to their IT or network security departments.
For the obfuscated link, the mitigation is not so straightforward. According to
an advice page from MITRE
, this type of attack technique cannot be easily mitigated with preventive controls because it is based on the abuse of system features.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attacks on Azerbaijan Businesses Drop Malware via Fake Image Files