A malicious campaign targeting entities in North America, Europe, Asia and the Middle East in March used a combination of pages hosted on Bit.ly, BlogSpot and Pastebin to create a command and control infrastructure (C2) designed to avoid being blocked by security solutions.
Palo Alto Networks Unit 42 discovered that the threat actors behind the campaign dubbed “Aggah” used the C2 infrastructure built using only legitimate services to ditch RevengeRAT payloads (also known as Revetrat ) on organizations of “Technology, Retail, Manufacturing, State / Local Government, Hospitality, Medical, Technology and other professional affairs.
RevengeRAT is a publicly available remote access Trojan published in 2016 on the Dev Point hacking forum and is known to be able to open remote shells, allow attacker to manage system files, processes and services, modify the Windows registry, track IP addresses, modify the hosts file, log keystrokes, clear user passwords and access the webcam, among others.
“Our analysis of the delivery document revealed that it was designed to load a malicious macro-compatible document from a remote server via Template Injection,” Unit 42 researchers discovered.
Also, “These macros use BlogSpot posts to get a script that uses multiple Pastebin pastes to upload additional scripts, which ultimately results in the final RevengeRAT payload setup with a duckdns[.]org for C2. “
The campaign was first detected by Unit 42 on March 27 after the decoy file camouflaged to resemble an official document from a financial institution with an email subject line “Your account is locked” was sent to entities of a country in the Middle East.
Soon after, just four days later, the Aggah campaign spread to other countries in the Middle East, before being spotted while also spreading to potential new victims in North America, from Asia and Europe.
Multi-step infection process
Once the decoy document is opened on a target’s computer, it would immediately display a decoy image designed to trick the user into enabling Microsoft Office macros to “Enable Editing.” If the victim falls into the trap, a remote OLE document containing the malicious macro would be loaded using template injection.
Once downloaded to the compromised machine, the malicious script will perform “multiple activities on the compromised system.” First, it tries to hamper Microsoft Defender by removing its signature set. The script also kills the Defender process as well as the processes of several Office applications. . “
The script will then proceed to the next step, also disabling ProtectedView and enabling macros for Word, PowerPoint, and Excel Office applications on the infected computer.
After being downloaded to a victim’s machine, the script will perform the following main actions:
The final malware payload downloaded from Pastebin is a variant of RevengeRAT nicknamed “Nuclear Blast” configured by the threat actors to use the lulla.duckdns[.]org as its C2 server.
During campaign analysis, researchers found that a single bit.ly link was clicked more than 1,900 times by targets from around 20 countries, a fact that shows the scale of the campaign being since the CIO list contains 33 different bit.ly download links used. in the attacks – these are just the ones the researchers were able to get their hands on.
Additionally, after examining the properties of the decoy document, Unit 42 was able to find a number of other campaign-connected RevengeRAT samples, as well as a few other C2 domains. Information gathered during the Aggah campaign analysis process also showed that documents connected to campaign operators have time stamps that span between January and April 2019.
As the Unit 42 research team discovered, “Enabling Macros and Disabling ProtectedView in Office”, “The Order in Which Registry Keys Were Changed”, “The Tactics of process removal for Windows Defender and Microsoft Office apps ”and the tactic of using“ a small URL shortening service in their attacks ”overlaps with malicious techniques used by the Gorgon Group (aka Subaat), tracked from February 2018, supposed to have in its malware tool set a number of other RATs such as NanoCoreRAT, QuasarRAT, and NJRAT.
Despite this, Palo Alto Networks researchers say there is no “concrete evidence that this attack campaign is associated with Gorgon.”