A hacking campaign that targeted victims around the world used Blogspot, Pastebin and the link-shortening service Bit.ly to carry out its attacks, according to research published Wednesday by the security vendor Palo Alto Networks.
Palo Alto’s Unit 42 research group in March uncovered what it has called the Aggah campaign, a digital crime spree focused on organizations in the U.S., Middle East, Europe and throughout Asia. The group distributes malicious macro-enabled documents which rely on Blogspot posts and multiple Pastebin posts for a command-and-control infrastructure.
Researchers suggested the hacking campaign originated with the Gorgon Group, a collective that’s carried out a string of attacks from Pakistan over the past year, though Unit 42 said it’s too soon to directly attribute the Gorgon Group with any level of certainty.
“Unfortunately, our current data set does not afford insight into the attackers’ motivation other than to compromise a large number of victims,” Unit 42 stated in a blog post Wednesday. “While a lot of this activity behaviorally appears to be potentially related to the Gorgon Group’s criminal activity, it is currently unclear and requires additional analysis to prove.”
The Aggah group’s identity comes from “HAGGA,” the name of the Pastebin account the attacker appears to be using, according to Unit 42.
Hackers tried infiltrating a variety of organizations throughout the Middle East by sending people emails that appeared to be from large financial institutions, but likely were only spoofed messages. The subject line to one message read “Your account is locked,” though an analysis of that message found it included a malicious Word document titled “Activity.doc.”
That attachment included malicious commands, hidden under a bit.ly link, and would try to slip past antivirus software to use activate a malicious script, hosted in Blogspot, to download a malicious payload from Pastebin. The payload was a variant of RevengeRAT, a commodity Trojan that’s widely available.
Previous versions of RevengeRAT have been used to steal user credentials, log keystrokes, and relay specific information back to malware operators. In this case, Unit 42 said aspects of this campaign suggest its meant for “persistence.”
The Gorgon Group has spent the last year performing hacking operations against a range of global targets, CyberScoop reported, including a spree against government agencies from the U.S., U.K., Spain and Russia.