Aggah APT Group Targets Taiwan, South KoreaSpear-Phishing Campaign Exploits PowerPoint Vulnerability
The Aggah advanced persistent threat group, believed to be of Pakistani origin, apparently was behind a recent spear-phishing campaign targeting manufacturing firms in Taiwan and South Korea, according to the Anomali Threat Research Team.
See Also: Automating Security Operations
First identified in 2019, the group apparently has shifted from hitting targets in the United Arab Emirates to targeting organizations in the Far East, Anomali reports.
Aggah’s latest campaign, which began in July, used spoofed email addresses that looked identical to the targeted companies’ legitimate customers. The APT group appears to have exploited a PowerPoint vulnerability and has found ways to evade Microsoft’s built-in detection mechanisms, the researchers say.
PowerPoint Rarely Targeted
Some 65% of all malware targeting Microsoft Office uses MS Word extensions, such as DOC, DOCX and DOCM, according to HP’s threat research. Malware using MS PowerPoint file extensions account for only 1% of all known attacks, HP says.
In its latest campaign, Aggah used a Trojan dropper - a PowerPoint 97-2003 add-in - to trigger a PowerPoint application error when a victim opened an infected PPT file, the Anomali researchers report. The user sees an error message: “Sorry, PowerPoint cannot read the file.” When the user then clicks “OK” or closes the dialog box, it triggers the execution of the malicious macro.
The malicious macro goes beyond merely delivering the payload - it also renders Microsoft Defender useless by removing its signature set and evades detection, the researchers say. The script is also capable of disabling Microsoft’s "Protected View" security feature in Word, PowerPoint and Excel.
The Aggah group's recent campaign mostly targeted the manufacturing, agriculture, transportation and construction sectors, according to Anomali.
Aggah: Origin and Evolution
The Aggah APT group was discovered in March 2019 by Unit 42, Palo Alto Networks’ threat intelligence arm. Unit 42’s analysis revealed that the group had loaded a malicious macro-enabled document from a remote server using a method known as template injection. In this method, hackers created or modified references in MS Office document templates - this helps them conceal the malicious code. This process allowed the threat actors to install the RevengeRAT malware, which is known to infect devices through malicious email attachments.
The malware was then delivered as a Visual Basic script contained in .zip, .rar or .doc files through spear-phishing. An HP Threat Research blog explains that some of the targeted companies in Aggah’s previous campaigns had a Sender Policy Framework in place, which allowed their email servers to identify fake emails as the sender domains in the return-path field were spoofed.
But the email servers of many target companies did not have a mechanism of rejecting emails that failed SPF validation, and as a result, the emails found their way into the employees’ inbox, according to HP researchers.
Unit 42’s report shows that the emails Aggah used in its 2019 exploit targeting companies in the Middle East were portrayed as originating from a large financial institution, and the subject line read, “Your account is locked.”
In Aggah’s latest campaign, by contrast, Anomali’s researchers found that the group had sent an email from a spoofed business ID to Taiwanese manufacturing firm Fon-Star International Technology. The research report reveals that similar emails were sent to Taiwan-based CSE Group and FomoTech.
The researchers found that in South Korea, the Aggah group had targeted the Hyundai Electric power company.
Unit 42’s research shows that Aggah is associated with Gorgon Group, a Pakistan-based APT. Threat analyst Winston M, in his blog, says the Gorgon Group communicated in Urdu written in Latin script.
The manner in which Aggah and Gorgon threat groups spread malware is similar.
According to the MITRE ATT&CK knowledge base, Gorgon Group’s malware uses PowerShell commands to download and execute payloads and is capable of opening a decoy document on the target’s computer. Gorgon Group also uses macros in spear-phishing attachments and executes Visual Basic scripts on the target’s machine.
Investigations conducted by the Anomali Threat Research Team, Unit 42 and HP Threat Research have proven that the attack mechanism, usage of spoofed emails, exploitation of PowerPoint vulnerabilities, malware delivery using PowerShell commands and communication in Urdu are common factors connecting the Aggah and Gorgon Group APT groups.
Gorgon Group gained notoriety after its 2018 phishing attacks targeting government entities in the U.S., the U.K., Spain and Russia. As Unit 42 researchers reported, the group primarily used Trojan malware - such as NanoCore RAT, QuasarRAT and NJRAT - to deliver its payloads in target institutions.