An updated Aggah malspam campaign is distributing malicious Microsoft Office documents designed to trigger a multi-stage infection in order to a target a user’s endpoint.
The campaign is depositing Agent Tesla, njRAT and Nanocore RAT in a attack that is being run out of several Pastebin accounts, reported Cisco Talos. As with previous Aggah attacks, which began in January 2020, it is initiated through a phishing email containing a malicious attachment, which downloads a VBScript that then initiates the attack, infecting the endpoint with the RAT.
The updated version of the malware uses an additional .NET binary (and embedded VBScript and PowerShell scripts) to disable protection and detection mechanisms on the infected endpoint. The attackers also altered the distribution of attack components across multiple free Pastebin accounts to modularize the attack infrastructure. Finally, they opened a new Pastebin PRO account to host all the final RAT payloads. A pro account enables the attackers to modify the pastes and serve different malware at different points in time, Cisco Talos explained.
All of these changes and improvements lead the Cisco Talos team to believe that actors behind Aggah will continue to use free infrastructure like Pastebin and that a continued expansion of their malware arsenal will continue.