Open-Source Remote Access Trojan Targets Armenian Airport and State Institutions
Macro, MS Word, RAT, Trojan, VBA
September 22, 2023
Threat-researchers at CyberHUB-AM, with the support from Internews’ Martijn Grooten, are tracking a Remote Access Trojan targeting the Armenia International Airports and Armenian State Bodies. The attack was first identified by a Singapore-based cybersecurity researcher – Zhixiang Hao.
The malware is embedded within an MS Word document, which is presented as an official warning message from Armenia’s National Security Service, and employs VBA Macro code and powershell script to gain foothold in the system.
This report provides an in-depth analysis of the malware, its functionality, and associated indicators of compromise (IOCs) to enable effective threat mitigation.
Block emails originating from the domain aacpress.net to prevent further attacks.
This threat analysis report outlines a malware campaign targeting Armenians using a malicious MS Word document with embedded VBA Macro code. The malware’s functionalities include downloading and executing malicious payloads, contacting a remote C2 server, and utilizing the UrbanBishop payload. Mitigation strategies are provided to safeguard against this threat, emphasizing the importance of proactive monitoring and network security measures. Security teams are encouraged to stay vigilant and update their defenses accordingly.