Aggah Campaign Leverages Freely Available Infrastructure to Distribute Multiple RATs

The Aggah campaign has been quite prolific recently and the attackers have used publicly available infrastructure such as Bit.ly, BlogSpot, and Pastebin to direct and host their infection components.

Malicious infection chain and variations of the final payloads

The “Aggah” infection chain has been observed distributing a variety of final payloads, varying from ransomware to RAT families.
  • In April 2020, an upgraded Aggah campaign was observed distributing malicious Microsoft Office documents via malspam emails distributing a multi-stage infection to trick the targeted end users. The campaign was distributing a variety of Remote-Access-Tool (RAT) families such as Agent Tesla, njRAT, and Nanocore RAT.
  • In January 2020, the Aggah campaign further evolved from its previous version with new TTPs, and it included the use of a LokiBot variant as the delivered payload.
  • In September 2019, the Aggah campaign was found delivering variations in the final payloads, with AzoRult being delivered for the first few days and after that, it delivered RevengeRAT.
  • The Aggah campaign was first spotted in March 2019. In the beginning, attackers sent spoofed phishing emails with Word documents attached. Several delivery documents were found loading malicious macro-enabled documents from remote servers via Template Injection to eventually install RevengeRAT.

Focal points of the campaign

The principal focus of the campaign was to utilize publicly available infrastructure to host different stages of the attack. This activity is likely part of a much larger campaign.
  • The Aggah campaign used Pastebin, BlogSpot, and Bit.ly to manage the infected hosts and to run its botnet without renting a server. In April 2020, this campaign can be seen utilizing multiple Pastebin Pro accounts to host different stages of the attack.
  • In April 2019, the campaign was seen targeting organizations in the government, health care, technology, manufacturing, financial, hospitality, and retail spheres. In March 2019, the attacks were initially aimed at the Middle East countries but soon attacks were detected on organizations in Europe and Asia, as well as the United States.

How to stay safe

Users are advised to not open word documents received from unknown senders or suspicious emails. Also, one should not ‘enable content’ in Microsoft Word or Excel sent by unknown persons. Download and install software from trusted sources or sites only. Organizations need to deploy malware analysis and breach detection tools to detect advanced malware activity on their network.