Researchers observed the Aggah campaign using Bit.ly, BlogSpot, and Pastebin to distribute variants of the RevengeRAT malware.
According to Unit 42 of Palo Alto Networks, the Aggah campaign began with an email sent on March 27. This email appeared to come from a large financial institution and informed recipients that their accounts had been locked.
Using this trick, the email delivered a malicious Word document that attempted to load a remote Object Linking and Embedding (OLE) document through template injection. The OLE document contained a macro that decoded and executed a Bit.ly link pointing to a BlogSpot article. Subsequently, the post used Pastebin entries to download additional scripts that downloaded a variant of the RevengeRAT malware family as the final campaign payload.
Initially, Palo Alto Networks discovered that the campaign targeted two countries based in the Middle East, but further analysis revealed a greater effort to tackle nearly a dozen verticals in the United States, Europe. and in Asia.
Rise of VengeanceRAT
As reported by Softpedia, an Arabic-speaking malware programmer began advertising RevengeRAT for free on underground forums in June 2016. The author released a more sophisticated version of the malware just two months later.
Since then, researchers have spotted numerous campaigns spreading around the remote access tool. For example, RSA detected a campaign in October 2017 that used spam to distribute malware. In February 2019, Cofense discovered an attack that also used BlogSpot and Pastebin posts to infect users with RevengeRAT.
How to stay ahead of the Aggah campaign
Security professionals can help defend their organizations against an operation like the Aggah campaign by using early threat detection. This method helps security teams spot potentially malicious domains before malicious actors integrate them into their attack campaigns. Organizations should also use the VBA editor and other tools to inspect PDF files, Microsoft Office documents, and other email attachments for malicious macros.