malware – Azerbaijan Internet Watch

It’s been months since an investigation led by an international consortium of journalists and technology experts revealed how Pegasus, a hacking software developed and sold by an Israeli surveillance company, NSO group targeted civil society representatives globally. On the country lists of phone numbers identified to have been targeted with Pegasus were numbers that belonged to dozens of civil society activists in Azerbaijan. Abulfaz Gurbanli, a political activist, was among them.

After learning that his device was infected, Gurbanli wiped his entire device and had it reset. On February 15 after plugging his device into a power adapter, Gurbanli’s device was remotely reset. Shortly after, he lost access to his Gmail account. The reset got rid of the google authenticator Gurbanli had set up to access his email account. Within hours, the political activist also lost access to his Facebook profile. Although the URL was briefly inaccessible on Facebook, it has been reinstated. Gurbanli finally secured access to his account on February 17.

In addition to a remote reset, Gurbanli also had multiple attempts to hack into his Facebook and Telegram accounts earlier. AIW spoke with a digital security expert who took a closer look at the IP address where these attempts originated from, indicating that it was the same IP that targeted other activists in the past few months.

There is suspicion that Gurbanli’s device was re-infected with Pegasus. But these suspicions can only be confirmed after a thorough device forensic analysis.

Fake interview request

On February 15, Gurbanli received an email from BBC Azerbaijan Service asking him for an interview.

Screenshot of the email sent to Gurbanli on February 15.

The journalist, who introduced herself as Sevinc, also contacted Gurbanli via WhatsApp.

Screenshot of Gurbanli receiving a message on WhatsApp.

Translation:

Sevinc: Hello Mr. Abulfaz. Writing to you from BBC Azerbaijan service, journalist Sevinc. I have a few questions about the agenda topics. Can you please share your email address and send us suitable pictures for the BBC website?
Gurbanli: Hello Ms. Sevinc. Thank you. I wanted to clarify whether you are referring to stories published on virtualaz.org and haqqin.az when you refer to the agenda topics?
Sevinc: It is about your projects and other political agenda.
Gurbanli: [sends his email address]
Sevinc: ok, check your email, there is a file with questions you can check on your computer. If the file requests a code, just write bbc and send us a suitable picture.
Gurbanli: Ms. Sevinc how do I know the link you have sent does not have a virus. I hope you understand this and I apologize for hesitating.
Sevinc: Mr. Abulfaz, the file does not contain virus, don’t worry. Can you please send a picture?

AzNet Watch has written to azeri@bbc.co.uk – the official email address of the Azerbaijan service informing the service of the incident.

AzNet Watch also requested assistance from Qurium media to analyze the link shared in the email and despite the journalist’s assurances, the link did contain a virus. “The mail pointed to a RAR compressed file in Google Drive that once downloaded required a password to be decrypted. The password to decrypt the file was included in the phishing e-mail: bbc. Compressed files that are password protected are common in malware phishing attacks as the files can not be scanned by antivirus,” concluded Qurium in its preliminary report. Further forensics report identified malware written in AutoIT. Once the link (in our case the link to a drive where the alleged journalist left questions for the political activist) was opened, the hacker through the deployed malware installed a persistent backdoor in the system. “The software connects to the domain name smartappsfoursix{.}xyz to download the rest of his software requirements. It downloads gpoupdater.exe and libcurl.dll that look responsible for uploading files to the command and control server. During the execution of the malware several (10) screenshots of the Desktop were uploaded to the server,” reads the Qurium analysis.

Meanwhile, after taking over Gurbanli’s Facebook account, the hacker also deleted all of the content on at least seven of the community pages, where Gurbanli was an admin (screenshots below are from just two pages).

Screenshot of Şəki İcma İnkişaf Mərkəzi Facebook page

Screenshot of İcma Akademiyası Facebook page

These attacks came shortly after a pro-government media published an article targeting Gurbanli accusing the political activist of allegedly organizing color revolutions in Azerbaijan.

On July 8, Azerbaijan Internet Watch received a notification that an email sent on behalf of Human Rights Watch reached a number of prominent Azerbaijani civil society activists. The email contained an attachment “Human Rights Invoice Form Document – 2021.docx” prompting the recipient to download the attached file.

AIW, reached out to partners at Qurium to analyze the attachment. The forensics confirmed the suspicions that the email was indeed a virus. According to preliminary conclusions, “the e-mail included a link to malware, with the capability of webcam and Desktop recording, execution of windows commands (WMI) as well as extraction and uploading of selected files from the victim’s computer.

Screenshot from the original email that was sent.

Phishing incidents targeting civil society activists are common in Azerbaijan.

Numerous reports, including several by AIW, in partnership with Qurium, documented and investigated these attacks, over the recent years [see below].

A detailed report by Qurium presents an analysis of the malware and explains how it was built, its capabilities, and where it was hosted. Among the findings were:

desktoprecord
webcamrecord
download
implant
makepersistent
massdownload
stopimplant
upload
uploadexec
wmicexec
aueval

In addition to taking screen captures and webcam recording, there was another interesting detail – insufficient knowledge or lack of an auto-correct program run on a computer or the user, developing the malware. As captured by Qurium, there were several grammatical mistakes in the pop-up window informing the owner of the device who downloaded the email “Unsopported Microsoft Word version!” & @CRLF & “File corrupted. Error numer: 0x65415681.”

Qurium also released its report titled “A decade of efforts to keep Azerbaijani media online” that sums up the assistance the platform has provided since 2010 including monitoring and mitigating a wide range of cyberattacks against the websites in Azerbaijan and since 2016, releasing no less than twenty forensics reports to document their findings.

Further, read:

March 19, 2017 – False Friends: How Fake Accounts and Crude Malware Targeted Dissidents in Azerbaijan, Amnesty International
January 14, 2020 – mass phishing attack against Azerbaijan civil society [updated], AIW/Qurium
January 15, 2020 – FISHING PHISHERS IN AZERBAIJAN, Qurium
February 20, 2020 –the “man” behind the phishing attacks, AIW/Qurium
March 8, 2021 – spotted, phishing attack on opposition activist [updated march 9], AIW

Tag: malware

Deliberate targeting in pro government media leads to targeted attacks online – the case of Abulfaz Gurbanli [Updated]

Fake interview request

attention: phishing attack detected

Further, read: