Blog Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer

Technical Blog

July 1, 2020 Category: Threat Research By: Alex Holland Comments: 0

Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer

A notable PowerPoint malicious spam campaign we investigated recently was detected by HP Sure Click in May 2020. Its tactics, techniques and procedures (TTPs) suggest that the activity is linked to threat actors behind a string of similar campaigns, known collectively as the Aggah campaign.  In this campaign, malicious PowerPoint Add-in files were used to deliver Agent Tesla and PowerShell cryptocurrency-stealing malware.

The use of PowerPoint malware is significant because it’s uncommon. Of the office document malware isolated by HP Sure Click in 2020 so far, only 1% was PowerPoint malware (Figure 1). Most (65%) of the office document malware seen in the wild uses Microsoft Word file formats, such as DOC, DOCX and DOCM, followed by Excel formats.

Although aspects of the May 2020 Aggah campaign have been analysed elsewhere, information about the attacker’s email infrastructure and campaign victimology is difficult to find. HP Sure Click telemetry suggests that the sectors and countries targeted by the threat actor behind this latest campaign are broader than previously thought. We also analysed the differences from previous Aggah campaigns. The most significant alterations found were the use of a PowerPoint-based dropper instead of Word- or Excel-based droppers, and the new inclusion of a PowerShell Bitcoin stealer.

Figure 1 – Proportion of office document threats by type, based on HP Sure Click telemetry.

Targeting and Victimology

HP Sure Click isolated PowerPoint presentations tied to the May 2020 Aggah campaign that were named according to the regular expressions below. All the files shared the same hash value (SHA-256 7eafb57e7fc301fabb0ce3b98092860aaac47b7118804bb8d84ddb89b9ee38f3).

  • Moglix Purchase Order \d{6}\.(pps|ppt)
  • PO – \d{6}\.(pps|ppt)
  • Bank details\.ppt
  • Payment Details\.pps
  • New order GLT srl_\d{7}_\d{2}\.\d{2}.\d{4}\.ppt
  • Scan emco Bautechni specifications\.pps

Figure 2 – Some of the detected samples shown in HP Sure Controller.

An analysis of the organisations that were targeted by the campaign shows that the targets belonged to six sectors, the most common being manufacturing. From HP Sure Click telemetry, the targets were located in eight countries, predominantly in Europe (Figure 3).

Figure 3 – Observed Aggah campaign infrastructure and targets in May 2020.

To make the phishing emails look more legitimate, the attacker spoofed the domains of five business-to-business (B2B) companies in the same or a related industry as the targets. The industries and locations of the spoofed organisations indicate that the attacker likely sought to target businesses instead of individuals across many sectors. The organisations that were impersonated are based in the following countries, indicating a large geographic spread:

  • France
  • Germany
  • United Arab Emirates
  • India

Some of the recipient mail servers reported that the emails failed Sender Policy Framework (SPF) validation, meaning they detected that the sender domains in the Return-Path field were spoofed. However, in several cases the emails were still delivered to employees’ mailboxes, which suggests that some of the target organisations had not implemented a policy of rejecting mail if it failed an SPF check. We observed emails being sent from the following mail servers:

  • hwsrv-721609.hostwindsdns[.]com (192.119.91[.]236)
  • hwsrv-722288.hostwindsdns[.]com (192.119.106[.]136)
  • 172.241.27[.]218
  • 172.93.201[.]103
  • 172.93.201[.]113
PowerPoint Dropper – Using Errors to Run Malware

The dropper used in this campaign was noteworthy because its execution relied on intentionally triggering a PowerPoint application error when the presentation was opened. The error caused PowerPoint to close the presentation, generating an Auto_Close event that was used to run a malicious Visual Basic for Applications (VBA) macro.

To achieve this, the dropper was implemented as a PowerPoint 97-2003 Add-in (.PPA) that had been renamed to use .PPS (PowerPoint 97-2003 Slide Show) or .PPT (PowerPoint 97-2003 Presentation) file extensions. The advantage of using the PPA format is that unlike other PowerPoint formats, Auto_Open and Auto_Close VBA subroutines are available, meaning an attacker can trigger the execution of a malicious macro when a user opens or closes the presentation.

In this case, when the presentation is closed, a subroutine called “Page” is executed (Figure 4).

Figure 4 – Auto_Close and “Page” subroutines.

When opened, PowerPoint raises an error saying that the file cannot be read (Figure 5). Clicking the OK or Close button closes the presentation, causing the macro to run in the background before closing PowerPoint. Using this error as a way of running the macro was likely intended by the attacker because the presentation does not contain any decoy content.