New Operation Red Deer Connected to Aggah APT

Modus operandi

• Attackers use social engineering tactics to pressurize recipients into opening an attachment by claiming that a package is waiting for them and that they need to choose their preferred delivery method.
• The attachment is an HTML file that will automatically open on the user’s browser when clicked. Once opened, an ISO file is downloaded automatically. We also refer to the process as HTML Smuggling.
• In the final stage of the campaign, 3losh RAT, the modified version of the AsyncRAT, is deployed on victims’ systems. 

Change in tactics

• In an attack observed in October 2022, the .iso file was replaced by a .zip archive. The archive contains a .wsf script file, instead of the obfuscated VBS file, to download the malware.
• Furthermore, SSL certificates are hosted on several IPs/domains so that the threat actor can maintain and work with only one operating server while creating multiple hosts. 

Recent phishing attacks against Israelis

• CERT-UA discovered a phishing operation attributed to the UAC-0063 threat actor, which displayed potential interest in targeting Israel, Mongolia, Kazakhstan, Kyrgyzstan, and India. 
• In another instance, the Iranian state-sponsored Educated Manticore group was observed deploying an updated version of the PowerLess backdoor via phishing emails to target Israeli entities.

Conclusion