RevengeRAT Distributed via Bit.ly, BlogSpot, and Pastebin C2 Infrastructure

guest · Apr 18, 2019

RevengeRAT Distributed via Bit.ly, BlogSpot, and Pastebin C2 Infrastructure
April 18, 2019
https://www.bleepingcomputer.com/ne...itly-blogspot-and-pastebin-c2-infrastructure/

A malicious campaign targeting entities from North America, Europe, Asia, and the Middle East during March used a combination of pages hosted on Bit.ly, BlogSpot, and Pastebin to create a command-and-control (C2) infrastructure designed to avoid getting blocked by security solutions.

Palo Alto Networks' Unit 42 discovered that the threat actors behind the campaign dubbed "Aggah" employed the C2 infrastructure built using only legitimate services to drop RevengeRAT (also known as Revetrat) payloads on organizations from "Technology, Retail, Manufacturing, State/Local Government, Hospitality, Medical, Technology, and other Professional business.

"Our analysis of the delivery document revealed it was built to load a malicious macro-enabled document from a remote server via Template Injection," found Unit 42's researchers.
Also, "These macros use BlogSpot posts to obtain a script that uses multiple Pastebin pastes to download additional scripts, which ultimately result in the final payload being RevengeRAT configured with a duckdns[.]org domain for C2."
Click to expand...

Unit 42: Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign

guest · Oct 2, 2019

Threat Group Uses Bit.ly, BlogSpot, Pastebin to Deliver Trojans, RATs
October 2, 2019
https://www.bleepingcomputer.com/ne...ly-blogspot-pastebin-to-deliver-trojans-rats/

A malicious campaign targeting corporations from all over the world was observed while using a combination of pages hosted on Bit.ly, BlogSpot, and Pastebin to deliver Azorult and RevengeRAT malware.
The command-and-control (C2) storage infrastructure used by the campaign dubbed MasterMana by Prevailion researchers who spotted it allows the threat actors behind the attacks to conceal malicious traffic from security solutions.

"Based upon exhibited tactics, techniques, and procedures (TTPs), we have associated it — with moderate confidence — to the 'Gorgon Group', a well known group active for numerous years and attributed with multiple ongoing malicious campaigns," says Prevailion's report.
Infection chain powered using third-party infrastructure
"This operation, which began as early as December of 2018, appears financially motivated, given the seemingly indiscriminate targeting of business email addresses via phishing and the inclusion of specific functions to steal information associated with cryptocurrency wallets," added Danny Adamitis and Matt Thompson in their report.

A very similar campaign dubbed "Aggah" by the Palo Alto Networks' Unit 42 researchers who spotted in March, was also observed while abusing Bit.ly, BlogSpot, and Pastebin for malware delivery.
Click to expand...

guest · Apr 30, 2020

Aggah malspam campaign updated with new payloads
April 30, 2020
https://www.scmagazine.com/home/email-security/aggah-malspam-campaign-updated-with-new-payloads/

An updated Aggah malspam campaign is distributing malicious Microsoft Office documents designed to trigger a multi-stage infection in order to a target a user’s endpoint.

The campaign is depositing Agent Tesla, njRAT and Nanocore RAT in a attack that is being run out of several Pastebin accounts, reported Cisco Talos. As with previous Aggah attacks, which began in January 2020, it is initiated through a phishing email containing a malicious attachment, which downloads a VBScript that then initiates the attack, infecting the endpoint with the RAT.
The updated version of the malware uses an additional .NET binary (and embedded VBScript and PowerShell scripts) to disable protection and detection mechanisms on the infected endpoint.

The attackers also altered the distribution of attack components across multiple free Pastebin accounts to modularize the attack infrastructure.
Finally, they opened a new Pastebin PRO account to host all the final RAT payloads. A pro account enables the attackers to modify the pastes and serve different malware at different points in time, Cisco Talos explained.
Click to expand...

Cisco Talos: Upgraded Aggah malspam campaign delivers multiple RATs

Log in or Sign up

RevengeRAT Distributed via Bit.ly, BlogSpot, and Pastebin C2 Infrastructure

guest Guest

guest Guest

guest Guest

Log in or Sign up

RevengeRAT Distributed via Bit.ly, BlogSpot, and Pastebin C2 Infrastructure

guest Guest

guest Guest

guest Guest

Useful Searches