Threat Group - Aggah (TH-157)

Industry: N/A | Level: Operational | Source: Yoroi

Research from Yoroi Malware ZLAB has been tracking threat actor group Aggah (TH-157) since 2019. The group's recent activity has been targeting Ukraine, Lithuania, Italy, and additional east European countries, in which they have been conducting reconnaissance and data theft operations. A shared technical analysis identifies a nine-stage attack that involves establishing persistence to deliver a final payload. The initial vector comes from a malicious PowerPoint document using the "autoclose" macro to aid in bypassing sandbox checks and is delivered through spam emails. MSHTA execution leads to a bitly link leading to a fraudulent Blogspot page with the payload executing wscript and creating a scheduled task. Payload delivery involves the AgentTesla infostealer. The threat actor is able to vary the payload delivery infrastructure every 80 mins due to the scheduled task calling MSHTA to retrieve another Blogspot page.

• Anvilogic Scenario: Aggah/TH-157 - Behaviors
• Anvilogic Use Cases:
• MSHTA.exe execution
• Cscript or Wscript execution
• Create/Modify Schtasks
• Executable File Written to Disk