On July 8, Azerbaijan Internet Watch received a notification that an email sent on behalf of Human Rights Watch reached a number of prominent Azerbaijani civil society activists. The email contained an attachment “Human Rights Invoice Form Document – 2021.docx” prompting the recipient to download the attached file.
AIW, reached out to partners at Qurium to analyze the attachment. The forensics confirmed the suspicions that the email was indeed a virus. According to preliminary conclusions, “the e-mail included a link to malware, with the capability of webcam and Desktop recording, execution of windows commands (WMI) as well as extraction and uploading of selected files from the victim’s computer.
Phishing incidents targeting civil society activists are common in Azerbaijan.
Numerous reports, including several by AIW, in partnership with Qurium, documented and investigated these attacks, over the recent years [see below].
A detailed report by Qurium presents an analysis of the malware and explains how it was built, its capabilities, and where it was hosted. Among the findings were:
desktoprecord webcamrecord download implant makepersistent massdownload stopimplant upload uploadexec wmicexec aueval
In addition to taking screen captures and webcam recording, there was another interesting detail – insufficient knowledge or lack of an auto-correct program run on a computer or the user, developing the malware. As captured by Qurium, there were several grammatical mistakes in the pop-up window informing the owner of the device who downloaded the email “Unsopported Microsoft Word version!” & @CRLF & “File corrupted. Error numer: 0x65415681.”
Qurium also released its report titled “A decade of efforts to keep Azerbaijani media online” that sums up the assistance the platform has provided since 2010 including monitoring and mitigating a wide range of cyberattacks against the websites in Azerbaijan and since 2016, releasing no less than twenty forensics reports to document their findings.
- March 19, 2017 – False Friends: How Fake Accounts and Crude Malware Targeted Dissidents in Azerbaijan, Amnesty International
- January 14, 2020 – mass phishing attack against Azerbaijan civil society [updated], AIW/Qurium
- January 15, 2020 – FISHING PHISHERS IN AZERBAIJAN, Qurium
- February 20, 2020 –the “man” behind the phishing attacks, AIW/Qurium
- March 8, 2021 – spotted, phishing attack on opposition activist [updated march 9], AIW