Blog

Aggah is a threat group known for espionage and information theft worldwide, as well as its deft use of free and open-source infrastructure to conduct its attacks. We've recently reported that the group is linked with the Mana Tools malware distribution and command and control (C2) panel. RiskIQ recently identified a new Aggah campaign via our global monitoring of malicious VBScript code posted on websites. 

In this latest campaign, operators deployed clipboard hijacking code that replaces a victim's cryptocurrency address with an address specified by the actor. This code also deploys several malicious code files. 

In early 2021, RiskIQ first detected a new phishing campaign targeting PayPal. The campaign, authored by an actor calling themself "Vagabon," looks to collect PayPal login credentials and complete credit card information from the victim. 

The kit doesn't display many unique characteristics and is a textbook example of a "Frankenstein" kit. In this increasingly popular trend, threat actors piece together new phish kits from modular, free, or readily available kits and services. 

Discord, a popular VoIP, instant messaging, and digital distribution platform used by 140 million people in 2021, is being abused by cybercriminals to deploy malware files. 

Users can organize Discord servers into topic-based channels in which they can share text or voice files. They can attach any type of file within the text-based channels, including images, document files, and executables. These files are stored on Discord's Content Delivery Network (CDN) servers. 

Knowing the infrastructure and its connections helps security teams map, monitor, and track adversary-threat infrastructure and its composition—malware, suspicious activity, threat capabilities, shareable attack tools, and their relationships within the worldwide attack surface. 

As part of our ongoing research into malware distribution infrastructure, we investigated "Mana Tools," a malware distribution and command and control (C2) panel associated with several big names in the malware world, including RevengeRat, AzoRult, Lokibot, Formbook, and Agent Tesla. 

Mana Tools was first reported in 2019 by Yoroi researchers who identified it as a fork of the AzoRult 3.2 malware created by a Pakistani actor known as Hagga. The Mana Tools logo appears on current samples of the Mana Tools panel. Using RiskIQ's dataset, we were able to find several Mana Tools login pages. 

RiskIQ has tracked Magecart since skimmers first surfaced in 2016 and burst into the headlines in the landmark attack against British Airways. In the time since, our researchers have cataloged hundreds of iterations of Magecart skimmers as different threat groups build, appropriate, tweak, and develop them to suit their unique purposes. 

Despite their ongoing changes, these skimmers often maintain enough of the same characteristics and infrastructure for keen eyes to link them to past attacks and the responsible groups. In the case of the newly identified "bom" skimmer, which has been deployed on dozens of counterfeit online stores, distinct features and TTPs linked us directly to its predecessor skimmers, including the widespread MakeFrame version. It also pointed us to its operators, Magecart Group 7. 

RiskIQ’s Team Atlas assesses with high confidence that the network infrastructure supporting the exploitation of a Windows zero-day vulnerability disclosed by Microsoft on September 7, CVE-2021-40444, shares historical connections with that of a ransomware syndicate known as WIZARD SPIDER. This group, also tracked separately under the names UNC1878 and RYUK, deploys several different ransomware families in targeted Big-Game Hunting campaigns. More recently, they have come to rely on a backdoor known as BazaLoader/BazarLoader to deliver payloads, the most common of which is Cobalt Strike.

In our analysis of threat infrastructure spanning the global attack surface, we see bulletproof hosting providers continue to play an integral role in threat campaigns and provide essential services for cybercriminals. Flowspec, a bulletproof hosting provider that has been around since October 2018, is a one-stop-shop for threat groups, facilitating phishing campaigns, malware delivery, Magecart skimmers, and large swaths of other malicious infrastructure. 

The service's IP space enables phishing campaigns that have targeted various banks and domain names spoofing the Steam Community, Counter-Strike: Global Offensive, and Amazon. Flowspec also facilitates the theft of payment data by hosting several Magecart domains. Researchers have associated many different malware files with Flowspec IP space, including banking trojans, ransomware, various backdoors, and more.

As RiskIQ tracks malware families to identify infrastructure patterns and common threads between threat campaigns via our Internet Intelligence Graph, we often surface strong links between seemingly disparate threat campaigns. In the case of EITest and GootLoader, these campaigns may have turned out to be one and the same.

Researchers around the industry have tracked EITest and its evolution for the better part of a decade. Thus far, no one has connected it to the much newer GootLoader malware delivery campaign. However, infrastructure connections in RiskIQ data belonging to GootLoader directly correlate with past EITest activity and the current malware delivery campaign.

Magecart Group 8 has been targeting online retailers since 2016. This distinct skimming group first came to light when RiskIQ, led by researcher Yonathan Klijnsma, analyzed its skimmer in 2017 and exposed attacks on Nutribullet in February 2020 and MyPillow and Amerisleep in 2019. 

The group hasn't fixed what isn't broken and today still uses the same skimmer and many of the same tactics and techniques to steal payment data. When selecting its targets, the group seems to continue to favor the home improvement industry, specifically hardware, real estate services, and interior design and decor. 

Supported by our Internet Intelligence Graph, our researchers identify patterns to uncover new threat infrastructure and attacks across the global threat landscape. For Magecart Group 8, its choice of hosting providers shined new light on its skimming activities. RiskIQ researchers identified a pattern in the group's use of hosting providers Flowspec, JSC TheFirst, and OVH and its propensity to transition potentially inactive infrastructure from Bulletproof hosting providers to legitimate ones such as Velia.net.