įigure 1 - Spoofed Spearphishing Email Sent to Fon Star PowerPoint Fileįile name Purchase order 4500061977,pdf.ppam
Spoofed business-to-business (B2B) email addresses against the targeted industry is activity consistent with Aggah. Other spearphishing emails were sent to CSE group, a Taiwanese manufacturing company, FomoTech, a Taiwanese engineering company, and to Hyundai Electric, a Korean power company. The email in Figure 1 below was sent on Jto Fon-star International Technology, a Taiwan-based manufacturing company. The body of the email contained order and shipping information along with an attached PowerPoint file named “Purchase order 4500061977,pdf.ppam”. The infection process began with a custom spearphishing email masquerading as “.uk”, an online food delivery service based in the United Kingdom.
Foxmail phishing archive#
The move to using compromised sites is likely due to fact the Internet Archive hosted files are being taken down much quicker and is a notable change for Aggah. Historically the group has used Internet Archive, Pastebin and Blogspot to host malicious scripts and payloads, usually RevengeRAT. Later that same year, Aggah were observed likely selling or loaning malware to lower-level Nigerian actors. Īggah has been consistently active since 2019, generally using the same identifiable TTPs, in 2020 the group conducted a campaign targeting the Italian manufacturing sector. Other researchers agree that Aggah is an Urdu speaking Pakistani group due to the use of Urdu words written in Latin script, but stress this does not mean they are the Gorgon Group. However, there were prominent Gorgon Group indicators not observed during that investigation, and therefore Unit 42 was unable to formally associate Aggah with the Gorgon Group. Unit 42 first assessed, due to shared high level TTPs as well as the use of RevengeRat, Aggah was associated with the Gorgon Group, a Pakistani group known for targeting Western governments. Further investigation by the same team revealed it to be a global phishing campaign designed to deliver RevengeRat. The researchers initially believed the activity was a campaign targeting entities in the United Arab Emirates (UAE). AggahĪggah is an information-motivated threat group that was first identified in March 2019 by researchers from Unit 42. Based on the TTPs of this campaign, we assess with moderate confidence this is Aggah. Our analysis found multiple PowerPoint files that contained malicious macros that used MSHTA to execute a script utilizing PowerShell to load hex-encoded payloads. The tactics, techniques, and procedures (TTPs) identified in this campaign align with the Aggah threat group. Anomali Threat Research assesses with moderate confidence that this campaign is being conducted by the threat group, Aggah.Īnomali Threat Research discovered a spearphishing campaign that appears to have begun in early July 2021, targeting the manufacturing industry throughout Asia.Compromised websites are being used to host malicious JavaScript, VBScript and PowerShell scripts delivering Warzone RAT.Spearphishing emails are targeting the manufacturing industry in Taiwan and South Korea to spread malware.Authored by: Tara Gould and Rory Gould Key Findings
0 kommentar(er)
