An updated Aggah malspam campaign is distributing malicious Microsoft Office documents designed to trigger a multi-stage infection in order to a target a user's endpoint.

The campaign is depositing Agent Tesla, njRAT and Nanocore RAT in a attack that is being run out of several Pastebin accounts, reported Cisco Talos. As with previous Aggah attacks, which began in January 2020, it is initiated through a phishing email containing a malicious attachment, which downloads a VBScript that then initiates the attack, infecting the endpoint with the RAT.

The updated version of the malware uses an additional .NET binary (and embedded VBScript and PowerShell scripts) to disable protection and detection mechanisms on the infected endpoint. The attackers also altered the distribution of attack components across multiple free Pastebin accounts to modularize the attack infrastructure. Finally, they opened a new Pastebin PRO account to host all the final RAT payloads. A pro account enables the attackers to modify the pastes and serve different malware at different points in time, Cisco Talos explained.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.