silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,057
An updated Aggah malspam campaign is distributing malicious Microsoft Office documents designed to trigger a multi-stage infection in order to a target a user’s endpoint.
The campaign is depositing Agent Tesla, njRAT and Nanocore RAT in a attack that is being run out of several Pastebin accounts, reported Cisco Talos. As with previous Aggah attacks, which began in January 2020, it is initiated through a phishing email containing a malicious attachment, which downloads a VBScript that then initiates the attack, infecting the endpoint with the RAT.
The updated version of the malware uses an additional .NET binary (and embedded VBScript and PowerShell scripts) to disable protection and detection mechanisms on the infected endpoint. The attackers also altered the distribution of attack components across multiple free Pastebin accounts to modularize the attack infrastructure. Finally, they opened a new Pastebin PRO account to host all the final RAT payloads. A pro account enables the attackers to modify the pastes and serve different malware at different points in time, Cisco Talos explained.
All of these changes and improvements lead the Cisco Talos team to believe that actors behind Aggah will continue to use free infrastructure like Pastebin and that a continued expansion of their malware arsenal will continue.
Full report by Cisco Talos:
Upgraded Aggah malspam campaign delivers multiple RATs
By Asheer Malhotra * Cisco Talos has observed an upgraded version of a malspam campaign known to distribute multiple remote access trojans (RATs). * The infection chain utilized in the attacks is highly modularized. * The attackers utilize publicly available infrastructure such as Bitly and...
blog.talosintelligence.com