The campaign was carried out during March, threat actors tracked as
Aggah” used pages hosted on Bit.ly, BlogSpot, and Pastebin as a command-and-control (C2) infrastructure to distribute the RevengeRAT.
Attackers hit organizations in several industries including Technology, Retail, Manufacturing, State/Local Government, Hospitality, Medical, and other Professional business.
“In March 2019, Unit 42 began looking into an attack campaign that appeared to be primarily focused on organizations within a Middle Eastern country.” reads the analysis published by Palo Alto Networks.
“Further analysis revealed that this activity is likely part of a much larger campaign impacting not only that
The usage of legitimate services to deliver the malware aims at avoiding detection.
RevengeRAT variants were used by different APT groups, such as The Gorgon Group, that hit entities in the UK, Spain, Russia and in the US. The source code of the RAT has been publicly leaked a few years ago and could be actually part of multiple campaigns conducted by several threat actors.
RevengeRAT allows to open remote shells on the infected system, manage system files, processes, and services, log keystrokes, edit the Windows Registry, edit the hosts file, dump users passwords, and access the webcam, and many more actions.
Researcher an analyzed a bait document built to load a malicious macro-enabled document from a remote server via Template Injection.
“These macros use BlogSpot posts to obtain a script that uses multiple Pastebin pastes to download additional scripts, which ultimately result in the final payload being RevengeRAT configured with a duckdns[.]org domain for C2.” continues the analysis.
“During our research, we found several related delivery documents that followed the same process to ultimately install RevengeRAT hosted on Pastebin, which suggests the actors used these TTPs throughout their attack campaign.”
Once the victims opened the decoy document, it will display a lure image designed to trick them into turning on Microsoft Office macros to “Enable Editing.” If the victim enables the macros, a remote OLE document containing the malicious macro would be loaded using template injection.
“The malicious script carries out several activities on the compromised system. First, it attempts to hamper Microsoft Defender by removing its signature set. The script also kills the Defender process along with the processes for several Office applications.” reads the analysis.
Experts pointed out that the technique of enabling macros and disabling
Once downloaded on a victim’s machine, the script will perform the following main actions:
• Downloading a payload from a Pastebin URL
• Creating a scheduled task to periodically obtain and run a script from a Pastebin URL
• Creating an autorun registry key to obtain and run a script from a Pastebin URL
The last stage malware is downloaded from Pastebin, it is a RevengeRAT variant dubbed “Nuclear Explosion” that uses the lulla.duckdns[.]org domain as C2.
The analysis of a single bit.ly shortened URL revealed it was clicked over 1,900 times by targets from roughly 20 countries, this data could give us an idea of the extent of the campaign.
The analysis of decoy document’s properties allowed the experts to discover a number of other RevengeRAT samples used in this campaign.
Despite this, the Palo Alto Networks researchers conclude that there is no “concrete evidence that this attack campaign is associated with Gorgon.”
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.