Aggah Campaign Leverages Freely Available Infrastructure to Distribute Multiple RATs

Malicious infection chain and variations of the final payloads

• In April 2020, an upgraded Aggah campaign was observed distributing malicious Microsoft Office documents via malspam emails distributing a multi-stage infection to trick the targeted end users. The campaign was distributing a variety of Remote-Access-Tool (RAT) families such as Agent Tesla, njRAT, and Nanocore RAT.
• In January 2020, the Aggah campaign further evolved from its previous version with new TTPs, and it included the use of a LokiBot variant as the delivered payload.
• In September 2019, the Aggah campaign was found delivering variations in the final payloads, with AzoRult being delivered for the first few days and after that, it delivered RevengeRAT.
• The Aggah campaign was first spotted in March 2019. In the beginning, attackers sent spoofed phishing emails with Word documents attached. Several delivery documents were found loading malicious macro-enabled documents from remote servers via Template Injection to eventually install RevengeRAT.

Focal points of the campaign

• The Aggah campaign used Pastebin, BlogSpot, and Bit.ly to manage the infected hosts and to run its botnet without renting a server. In April 2020, this campaign can be seen utilizing multiple Pastebin Pro accounts to host different stages of the attack.
• In April 2019, the campaign was seen targeting organizations in the government, health care, technology, manufacturing, financial, hospitality, and retail spheres. In March 2019, the attacks were initially aimed at the Middle East countries but soon attacks were detected on organizations in Europe and Asia, as well as the United States.

How to stay safe