- #Blogspot key for microsoft office for mac install
- #Blogspot key for microsoft office for mac professional
- #Blogspot key for microsoft office for mac download
When “Activity.doc” is opened, it displays the image in Figure 1 as a lure in an attempt to trick the user into enabling content to allow macros to run. The email sent on March 27 had a Word document attached with the filename “Activity.doc” (SHA256: d7c92a8aa03478155de6813c35e84727ac9d383e27ba751d833e5efba3d77946) that attempted to load a remote OLE document via Template Injection. The related documents were functionally similar, so we will describe the original sample we analyzed.
#Blogspot key for microsoft office for mac professional
We later discovered that this delivery document was just one of many in a larger campaign sent to organizations in the United States, Europe and Asia targeting the same verticals as in the Middle East as well as Technology, Retail, Manufacturing, State/Local Government, Hospitality, Medical, Technology, and other Professional business. Four days later on March 31, we saw the same delivery email sent to a financial organization in a second Middle Eastern country. The subject of the email was “Your account is locked.” This initial delivery document was sent to organizations in one Middle Eastern country, specifically to organizations in the education, media/marketing, and government verticals. This email appeared to originate from a large financial institution in the same country, although it was likely spoofed. Our research into the Aggah campaign began with a delivery document sent to organizations in a single Middle Eastern country via an email on March 27, 2019.
In light of that, Unit 42 refers to the activity described in this blog as the Aggah Campaign based on the actor’s alias “hagga”, which was used to split data sent to the RevengeRAT C2 server and was the name of one of the Pastebin accounts used to host the RevengeRAT payloads. Based on this, we are not able to assign this activity to the Gorgon group with an appropriate level of certainty. However, Unit 42 has not yet identified direct overlaps with other high-fidelity Gorgon Group indicators.
Our hypothesis was based on the high level TTPs including the use of RevengeRAT. Initially, we believed this activity to be potentially associated with the Gorgon Group.
#Blogspot key for microsoft office for mac install
During our research, we found several related delivery documents that followed the same process to ultimately install RevengeRAT hosted on Pastebin, which suggests the actors used these TTPs throughout their attack campaign.
#Blogspot key for microsoft office for mac download
These macros use BlogSpot posts to obtain a script that uses multiple Pastebin pastes to download additional scripts, which ultimately result in the final payload being RevengeRAT configured with a duckdnsorg domain for C2. Our analysis of the delivery document revealed it was built to load a malicious macro-enabled document from a remote server via Template Injection. Further analysis revealed that this activity is likely part of a much larger campaign impacting not only that region but also the United States, and throughout Europe and Asia. In March 2019, Unit 42 began looking into an attack campaign that appeared to be primarily focused on organizations within a Middle Eastern country.
0 kommentar(er)
