Knowing the infrastructure and its connections helps security teams map, monitor, and track adversary-threat infrastructure and its composition—malware, suspicious activity, threat capabilities, shareable attack tools, and their relationships within the worldwide attack surface.
As part of our ongoing research into malware distribution infrastructure, we investigated "Mana Tools," a malware distribution and command and control (C2) panel associated with several big names in the malware world, including RevengeRat, AzoRult, Lokibot, Formbook, and Agent Tesla.
Mana Tools was first reported in 2019 by Yoroi researchers who identified it as a fork of the AzoRult 3.2 malware created by a Pakistani actor known as Hagga. The Mana Tools logo appears on current samples of the Mana Tools panel. Using RiskIQ's dataset, we were able to find several Mana Tools login pages.
Mana Tools login page detected by RiskIQ complete with Mana Tools logo
A review of Mana Tools infrastructure in RiskIQ data showed that the service stacks running on these Mana Tools servers are similar to what we identified in our March 2020 blog on infrastructure connected to Agent Tesla.
Hagga the Horrible
Hagga, the mastermind behind Mana Tools, is a Pakistani actor named Aqib Waseem (aka Aqib Qureshi and Aqib DaQureshi) that's not new to the malware scene. Hagga was first identified in April 2018 in an article published on freebuf.com that enumerated emails used by Hagga for registrations of domains connected to malware. According to RiskIQ data, Hagga began registering domains in March 2014 using the email aqibseo@gmail[.]com.
The freebuf.com article's author tied their analysis back to activity involving a threat actor referred to as Subaat, first identified by Palo Alto's Unit 42 in 2017. Comparing malicious files associated with Hagga's domains to samples associated with the older Subaat activity led the author to conclude that the files and C2 infrastructure in this older activity were related to Hagga.
The author also identified several C2 domains from the Subaat activity registered using emails known to be Hagga's. URLs used to deliver malware from one of these domains, asaigoldenrice[.]com, contained the letters "daq," possibly referring to "DaQureshi," the alias of Aqib Waseem, aka Hagga.
These C2 domains later appeared in an August 2018 article from Unit 42 on Subaat and the Gorgon Group, a Pakistani threat group responsible for the "FudCo" organization (see also Brian Krebs' article on FudCo). However, while Hagga activities overlap with some Gorgon Group activities, there is not yet conclusive evidence tying Hagga to them.
Visit the complete list of infrastructure discussed in this article in the RiskIQ Threat Intelligence Portal here.
Understand Hagga, Understand the Global Threat Landscape
Since that 2018 article, Hagga's activities have been widespread, with the group's fingerprints on malware activity across the globe. Other threat actors also use Hagga's tools. In February 2020, Paul Burbage penned an article connecting Hagga to Nigerian actors using his panels to deliver malware.
Understanding the many threat groups and keeping track of new ones as they emerge is crucial to situational awareness. Hagga is one of the many central cogs in the malware delivery ecosystem that should firmly be on the radar of network defenders everywhere.
Scale Your Defenses to Meet Mana Tools
Like your attack surface, your adversary's digital footprint is continuously evolving. With access to real-world observations, insights into digital relationships, and internet connections to threat systems and threat actors, you gain the intelligence necessary to scale your defenses.
By having an internet-wide view of the threat landscape, we can begin to detect patterns that unearth infrastructure that help RiskIQ, our partners, and our customers mitigate its impact.
