Tag: aggah
Serverless InfoStealer delivered in Est European Countries
12/17/2021
Introduction Threat actors' consistency over time represents an indication of effectiveness and experience, resulting in an increasing risk for targeted companies. The Yoroi Malware ZLAB is tracking the threat actor Aggah (TH-157) since 2019, along with PaloAlto UNIT42, HP and Juniper Networks, and the persistency of its malicious operation over time reveals a structured information stealing infrastructure, a worldwide campaign capable of quickly varying its distribution technique. We discovered new data theft and reconnaissance operations targeting multiple victims worldwide, including Ukraine, Lithuania, and Italy. The whole campaign impacted hundreds of victims and lasted for two months. CERT Yoroi was able to track the malware […]
Aggah: How to run a botnet without renting a Server (for more than a year)
01/27/2020
Introduction During the last year, we constantly kept track of the Aggah campaigns. We started deepening inside the Roma225 Campaign and went on with the RG Campaign, contributing to the joint effort to track the offensive activities of this threat actor. Recently, during our Cyber Defence monitoring operations, we spotted other attack attempts directed to […]
APT or not APT? What's Behind the Aggah Campaign
09/24/2019
Introduction During our threat monitoring activities, we discovered an interesting drop chain related to the well-known Aggah campaign, the ambiguous infection chain observed by Unit42 which seemed to deliver payloads potentially associated with the Gorgon Group APT. After that, we discovered other malicious activities using the same TTPs and infrastructures, for instance in “The Enigmatic […]