A recent cyber attack is exploiting Argentina’s judicial sector by using counterfeit court documents to distribute a dangerous malware. Legal professionals are being deceived into installing this harmful software, which is part of a campaign known as Operation Covert Access.
The attackers are utilizing spear-phishing emails that closely resemble authentic court communications. These emails distribute a Rust-based Remote Access Trojan, COVERT RAT, which grants attackers persistent access to compromised systems.
Targeting the Legal Landscape
The campaign specifically targets Argentina’s legal framework, impacting federal courts, law firms, government justice departments, academic bodies, and advocacy groups. By focusing on genuine court rulings related to preventive detention, the attackers exploit the inherent trust in legal documents, making the campaign exceptionally effective.
Point Wild analysts, expanding on research by Seqrite, have examined the operation in detail. They outlined the PowerShell execution flow and payload retrieval methods, highlighting the sophisticated, multi-layered approach aimed at remaining undetected within institutional networks.
Advanced Threat Capabilities
Beyond simple data surveillance, COVERT RAT connects to a command-and-control server at 181.231.253.69:4444. This connectivity allows attackers to execute various malicious activities, such as file theft and ransomware deployment.
The malware’s modular structure facilitates credential harvesting, privilege escalation, and encrypted file operations. Its ability to erase all traces post-operation complicates forensic investigations, adding to the threat’s severity.
Complex Delivery and Execution
Attackers employ a layered delivery system, starting with a phishing email that includes a ZIP file with a Windows shortcut, a batch loader script, and a fake judicial PDF. When executed, the malicious script operates in the background while the decoy PDF appears genuine.
Upon opening the shortcut, PowerShell is triggered in a concealed mode, launching a batch script that downloads the RAT from a GitHub repository. This use of GitHub enhances the attack’s perceived legitimacy, as traffic to the platform often bypasses security alerts.
Security measures are essential for legal and judicial professionals. Keeping antivirus software updated, avoiding suspicious email attachments, and monitoring system processes are critical steps to mitigate such threats.
Stay informed by following us on social media platforms like Google News, LinkedIn, and X for more updates.
