Aggah is a threat group known for espionage and information theft worldwide, as well as its deft use of free and open-source infrastructure to conduct its attacks. We've recently reported that the group is linked with the Mana Tools malware distribution and command and control (C2) panel. RiskIQ recently identified a new Aggah campaign via our global monitoring of malicious VBScript code posted on websites.
In this latest campaign, operators deployed clipboard hijacking code that replaces a victim's cryptocurrency address with an address specified by the actor. This code also deploys several malicious code files.
These new campaigns are similar to previously reported Aggah campaigns in that the group used free services Bitly, Blogspot, and usrfiles[.]com to host their malicious resources. So far, we've observed this clipboard hijacking technique replaces cryptocurrency addresses for seven different cryptocurrencies.
Your Paste is My Command
RiskIQ recently observed malicious VBScript code posted in BlogSpot URLs in early October 2021. After a closer look, our researchers identified a series of multiple URLs containing VBScript and PowerShell commands that subsequently conduct clipboard hijacking. This hijacking technique replaces victim cryptocurrency addresses with the attacker's own and installs Trojan backdoor malware files that communicate to dynamic DNS (DDNS) subdomains.
RiskIQ researchers suspect that Aggah uses emails to deliver the URLs that kick off the hijacking process. In one scenario, RiskIQ observed an email with the subject line containing "FW URGENT Request for information," which communicated to a Bitly link. The Bitly link forwarded the victim to the BlogSpot URL, which contained the initial VBScript code. This VBScript started a sequence that conducted registry modifications, set up scheduled tasks to perform clipboard hijacking of cryptocurrency addresses, and dropped Trojan and backdoor malware files to the host system.
The VBScript code deployed to the victim host is a complex web of code sourced from multiple URLs from BlogSpot and usrfile[.]com that implement basic encoding methods in attempts to evade detection and analysis.
How the Hijacking Works
Usually, the first VBScript code block that our researchers see on the BlogSpot URL contains code to kill Microsoft Word and Excel tasks. This code also modifies multiple registry settings to disable the macro warnings and disable the use of Protected View in versions 11, 12, 14, 15, 16 of Word, PowerPoint, and Excel.
In their investigation, our researchers often observed a second VB Script code block that called out to four other BlogSpot URLs. These URLs host additional code that disables Windows Defender, stores clipboard hijacking code into the victim host registry, and schedules these tasks.
The attackers use the same BlogSpot subdomains to carry out each task, and each subdomain follows the same path and page naming convention as all the others. For example, the set of BlogSpot subdomains RiskIQ researchers observed over several different attacks conducted the following tasks:
- Disabling Windows Defender
- Clipboard Hijacking
- Configure scheduled tasks
- Deploy of Malicious Files
For the complete technical analysis of how these BlogSpot subdomains conducted each of these tasks, visit RiskIQ's Threat Intelligence Portal.
Cryptocurrency Addresses Observed
RiskIQ saw seven different cryptocurrency addresses across all attack scenarios. All seven addresses were always included together in observed events. Visit RiskIQ's Threat Intelligence Portal to see each of these addresses attackers used to replace the regular expressions matching the address pattern for:
Linkage to "Mana Tools"
RiskIQ observed several keywords indicating this to be yet another Aggah campaign, known to be linked to the threat actor 'Hagga.' Hagga is associated with the Mana Tools malware distribution and command and control (C2) panel, a connection RiskIQ highlighted in October.
Other than the TTPs reported on in previous Aggah campaigns, such as the Bitly link to BlogSpot, some keywords observed in these current BlogSpot events were the comment "by code 3losh rat" and variable "$ALOSH" used in the code. Open-source research returned a GitHub page for user "3losh-rat". Our teams have not yet compared the GitHub repositories with our observations, and any user theoretically could have deployed the GitHub code. However, additional indicators are pointing to association with Hagga, including the Mana Tools panel hosted on the same IP address of malware deployed in the Aggah campaign we cover here.
For the complete technical analysis of this link, visit the RiskIQ Threat Intelligence Portal.
Palo Alto's Unit 42 observed a similar Aggah campaign in March 2019 in which operators used Bitly and BlogSpot URLs. In the 2019 campaign, scripts were saved on Pastebin pages. In this latest campaign, the additional scripts are saved on usrfile[.]com. The use of usrfile[.]com in Aggah campaigns was previously reported on by Yoroi. Deep Instinct has also reported on an Aggah campaign that deployed the clipboard hijacking code. However, at that time, only four hardcoded bitcoin addresses were used. In these latest campaigns, Aggah operators used addresses from various cryptocurrencies to replace the victim's clipboard contents.
Scale Your Defenses Against VBSript Threats
RiskIQ's Internet Intelligence graph gives us a global view of the web that detects malicious code when it is posted. In this case, our VBScript code detections helped our researchers unearth a clever clipboard hijacking campaign by the prolific group Aggah, likely linked to the threat actor Hagga.
Windows Defender will disable and quarantine these actions taken by the VBScript and PowerShell code, as well as any files dropped to the system. RiskIQ has also submitted all BlogSpot URLs to Blogger via their page. Report potential Blogger policy violation.
Be sure to visit RiskIQ's Threat Intelligence Portal for the full technical analysis and a complete list of IOCs related to this investigation.