Cyber Incident Victim: Armenian Deposit Guarantee Fund
Date:
Jan 2019
Location:
Armenia
Summary
A watering hole attack compromised several Armenian websites, including the Armenian Deposit Guarantee Fund, through injected malicious JavaScript that delivered a fake Adobe Flash update prompt. The operation, attributed to the Turla group, deployed persistent tracking mechanisms to fingerprint visitors and selectively targeted high-value individuals with malware. Initial payloads involved the known Skipper backdoor, later replaced by new .NET and Python-based malware (NetFlash and PyFlash) designed to evade detection, collect system information, and establish command-and-control communication for espionage purposes. The campaign relied on social engineering rather than exploits, focusing on governmental entities to facilitate data exfiltration.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Turla advanced persistent threat group compromised the Armenian Deposit Guarantee Fund's website (adgf.am) in a watering hole campaign active from at least January 2019 through November 2019. Attackers injected obfuscated JavaScript code into legitimate website files, including appending malicious scripts to the jquery-migrate.min.js library on compromised domains. This code redirected visitors to skategirlchina.com, where second-stage JavaScript performed browser fingerprinting using persistent evercookie tracking across multiple storage mechanisms. The script collected system information including browser plugins, screen resolution, and OS details, transmitting this data via POST requests to command-and-control servers. Only select visitors received follow-up payloads, with most encountering the malicious infrastructure during visits to four high-profile Armenian websites: armconsul.ru (Armenian Embassy in Russia), mnp.nkr.am (Artsakh Nature Protection Ministry), aiisa.am (Armenian security institute), and adgf.am.
When deemed high-value targets, victims received a fraudulent Adobe Flash update prompt delivering malware through social engineering rather than exploit-based techniques. From January-August 2019, attackers distributed RAR-SFX archives containing both legitimate Flash installers and the Skipper backdoor previously attributed to Turla. In September 2019, payloads shifted to NetFlash—a .NET downloader that deployed PyFlash, a Python-based backdoor compiled via py2exe. NetFlash established persistence through scheduled tasks and retrieved PyFlash from hardcoded IP addresses like 134.209.222.206:15363. PyFlash exfiltrated system data via AES-encrypted HTTP communications, executing commands including systeminfo, tasklist, ipconfig, getmac, and arp. ESET researchers identified compilation timestamps indicating payload updates in late August/early September 2019, with campaign suspension observed in late November 2019 when skategirlchina.com ceased malicious operations. The Armenian national CERT received compromise notifications and technical details prior to ESET's public disclosure in March 2020.