Aggah campaign using, BlogSpot and Pastebin to distribute RevengeRAT


Researchers observed the Aggah campaign using, BlogSpot, and Pastebin to distribute variants of the RevengeRAT malware.

According to Unit 42 of Palo Alto Networks, the Aggah campaign began with an email sent on March 27. This email appeared to come from a large financial institution and informed recipients that their accounts had been locked.

Using this trick, the email delivered a malicious Word document that attempted to load a remote Object Linking and Embedding (OLE) document through template injection. The OLE document contained a macro that decoded and executed a link pointing to a BlogSpot article. Subsequently, the post used Pastebin entries to download additional scripts that downloaded a variant of the RevengeRAT malware family as the final campaign payload.

Initially, Palo Alto Networks discovered that the campaign targeted two countries based in the Middle East, but further analysis revealed a greater effort to tackle nearly a dozen verticals in the United States, Europe. and in Asia.

Rise of VengeanceRAT

As reported by Softpedia, an Arabic-speaking malware programmer began advertising RevengeRAT for free on underground forums in June 2016. The author released a more sophisticated version of the malware just two months later.

Since then, researchers have spotted numerous campaigns spreading around the remote access tool. For example, RSA detected a campaign in October 2017 that used spam to distribute malware. In February 2019, Cofense discovered an attack that also used BlogSpot and Pastebin posts to infect users with RevengeRAT.

How to stay ahead of the Aggah campaign

Security professionals can help defend their organizations against an operation like the Aggah campaign by using early threat detection. This method helps security teams spot potentially malicious domains before malicious actors integrate them into their attack campaigns. Organizations should also use the VBA editor and other tools to inspect PDF files, Microsoft Office documents, and other email attachments for malicious macros.

David Bisson

Contributing editor

David Bisson is an infosec junkie and security reporter. He works as an editor for Graham Cluley Security News and associate editor for Trip …
Read more

Source link


About Author

Leave A Reply