Blog Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer

July 1, 2020 Category: Threat Research By: Alex Holland Comments: 0

Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer

A notable PowerPoint malicious spam campaign we investigated recently was detected by HP Sure Click in May 2020. Its tactics, techniques and procedures (TTPs) suggest that the activity is linked to threat actors behind a string of similar campaigns, known collectively as the Aggah campaign.  In this campaign, malicious PowerPoint Add-in files were used to deliver Agent Tesla and PowerShell cryptocurrency-stealing malware.

The use of PowerPoint malware is significant because it’s uncommon. Of the office document malware isolated by HP Sure Click in 2020 so far, only 1% was PowerPoint malware (Figure 1). Most (65%) of the office document malware seen in the wild uses Microsoft Word file formats, such as DOC, DOCX and DOCM, followed by Excel formats.

Although aspects of the May 2020 Aggah campaign have been analysed elsewhere, information about the attacker’s email infrastructure and campaign victimology is difficult to find. HP Sure Click telemetry suggests that the sectors and countries targeted by the threat actor behind this latest campaign are broader than previously thought. We also analysed the differences from previous Aggah campaigns. The most significant alterations found were the use of a PowerPoint-based dropper instead of Word- or Excel-based droppers, and the new inclusion of a PowerShell Bitcoin stealer.

Figure 1 – Proportion of office document threats by type, based on HP Sure Click telemetry.

Targeting and Victimology

HP Sure Click isolated PowerPoint presentations tied to the May 2020 Aggah campaign that were named according to the regular expressions below. All the files shared the same hash value (SHA-256 7eafb57e7fc301fabb0ce3b98092860aaac47b7118804bb8d84ddb89b9ee38f3).

  • Moglix Purchase Order \d{6}\.(pps|ppt)
  • PO – \d{6}\.(pps|ppt)
  • Bank details\.ppt
  • Payment Details\.pps
  • New order GLT srl_\d{7}_\d{2}\.\d{2}.\d{4}\.ppt
  • Scan emco Bautechni specifications\.pps

Figure 2 – Some of the detected samples shown in HP Sure Controller.

An analysis of the organisations that were targeted by the campaign shows that the targets belonged to six sectors, the most common being manufacturing. From HP Sure Click telemetry, the targets were located in eight countries, predominantly in Europe (Figure 3).

Figure 3 – Observed Aggah campaign infrastructure and targets in May 2020.

To make the phishing emails look more legitimate, the attacker spoofed the domains of five business-to-business (B2B) companies in the same or a related industry as the targets. The industries and locations of the spoofed organisations indicate that the attacker