New Aggah Campaign Delivers AZORult and RevengeRAT as Final Payloads

• Researchers observed that the latest Aggah campaign delivered AZORult as its final payload for the first few days of September 2019, and after that, it delivered RevengeRAT as its final payload.
• Researchers noted that the RevengeRAT samples observed in this campaign could also be linked to the Gorgon Group.

The latest findings

Researchers from Yoroi-Cybaze ZLab have observed the latest Aggah campaign and discovered an interesting drop chain and variations in the final payloads.

More details about the campaign

• Aggah, the multi-stage infection campaign distributes a malicious Microsoft Office document that contains an obfuscated VBA macro code.
• The macro code invokes an OS command that redirects victims to a malicious Blogspot at hxxps://myownteammana.blogspot[.]com/p/otuego4thday[.]html.
• The malicious page contains a JavaScript snippet that is obfuscated using a combination of URL-encoding and string reversing.
• The script is designed to download the next malicious stage hosted on PasteBin.
• This malicious stage is designed to kill the Office suite processes and create a new registry key to achieve persistence on the infected system.
• The script downloads two other snippets from Pastebin, the first snippet corresponds to the “Hackitup” DLL file, while the second snippet is the final payload.

Final payloads

Researchers observed that the campaign delivered AZORult as its final payload for the first few days of September 2019, and after that, it delivered RevengeRAT as its final payload.

• A closer look at the C&C infrastructure determined a customized AzoRult 3.2 fork called “Mana Tools”.
• Meanwhile, the RevengeRAT samples observed in this campaign could also be linked to the Gorgon Group.

“The “Mana” campaign opens to a series of hypothesis about the threat actor behind it. According to Palo Alto Networks, the “Aggah” infection chain could have been used by GorgonGroup too, but with a different payload. So, it is possible that Gorgon added this particular AzoRult version to their arsenal, maybe to retrieve initial information about its initial victims or to increase their recon capabilities,” researchers said.