Aggah Campaign Spreads RevengeRAT Using Legitimate Services

Delaware, USA – April 22, 2019 – At the end of March, a large-scale campaign to distribute RevengeRAT using Pastebin, BlogSpot, and was uncovered. Palo Alto Networks’ researchers admit that the campaign is being conducted by the Pakistani threat actor ‘Gorgon Group‘, but so far there is not enough evidence to state this with high confidence. Initially, the findings indicated that the campaign was aimed at the Middle East countries, but soon security researchers managed to detect attacks on organizations in Europe and Asia, as well as the United States. Cybercriminals are interested in organizations in government, health care, technology, manufacturing, and retail spheres. They send spoofed phishing emails with Word document attached. The document doesn’t contain malicious macro, but it is in remote OLE document downloaded using Template Injection technique. The macro in OLE document downloads Excel file with a highly obfuscated script that forces a browser to open a blog hosted at Blogspot. The code hidden on the page attempts to ‘disarm’ Microsoft Defender, disable security mechanisms in Microsoft Office and download RevengeRAT from a Pastebin URL. The code also creates a scheduled task and an autorun registry key to gain persistence and periodically update malware.

Using legitimate services to create a command-and-control infrastructure allows cybercriminals to avoid early detection by security solutions. Palo Alto Networks’ experts discovered that over 1900 users followed the link to the malicious blog post. Advanced threat actors are constantly looking for and finding ways to circumvent standard security solutions, so organizations need to maximize the effectiveness of their tools. APT Framework rule pack allows to monitor the company’s infrastructure constantly and uses different methods of statistical profiling and behavioral analysis to enable the most efficient use of existing technologies: