The latest in a series of online attacks is ‘Aggah’, a global malware campaign with roots in the Middle East. The Windows Malware comprises a commodity Trojan script being spread via an infected Microsoft Word Document. The perpetrators are tricking users into downloading and activating the malicious code using RevengeRAT.
Since RevengeRat is comprised of several open source Trojan builds, it is very difficult to pinpoint the actual spammer. The people involved in this are using the alias name ‘haggah’ to carry out their operation.
Windows Malware: How ‘Aggah’ Works?
A malware attack in the Aggah campaign consists of three main steps.
- E-mail a Word doc titled ‘Activity.doc’ to the target
- Prompt users to enable content thus helping the doc to run macros
- A Shell command redirects the user to a Blogspot site which downloads malicious scripts
The malware in the Aggah campaign works very discreetly and in a large number of steps initiated by a macro.
The Weakness Being Exploited
In Microsoft Open Office XML (OOXML), the older format docs (.doc, .ppt) has been replaced with the new XML based format (.docx,.pptx).
The OOXML files are made up of ZIP archives, called as ‘Parts’, which are responsible for rendering a document when it is opened.
Rendering of Parts is regulated by ‘Properties’ which may or may not reference public shared resources using URLs. This can be exploited by hackers. Whenever such a document is opened it leaves room for hackers to load a malicious script instead of the actual document via Template Injection.
Template Injection Definition
Template Injection is the process of replacing the blueprint of a document from the server side with malicious code, to be injected in the document of an unsuspecting user.
The latest Windows Malware uses the following steps to exploit the above-mentioned feature:
- The user receives an E-mail titled ‘Your account is locked’ attached with a word document ‘Activity.doc’.
SHA256 of ‘Activity.doc’ file
- The Document contains this photo asking users to ‘view in desktop’, ‘Enable editing’ and ‘Enable Content’
- Enabling content is the ultimate goal, then it fetches and loads an OLE document from a remote server, which contains an RTF (Rich Text Format), using Template Injection.
- The RTF runs an excel sheet containing a heavily encrypted macro that loads a URL using Shell command to access the OS’ kernel.
- The Shell command downloads the contents of the URL of a Blogspot site.
- The Blogspot side contains several Jawa scripts that disable the Microsoft Defender by changing its signature and also disable MS Office functions.
- Then the Jawa Script changes key registry values of MS office apps to 1.
- After that, the script disables Microsoft ProtectedView.
- The script uses Pastebin to download the malicious code and run Shell commands.
This malware campaign is targeting financial institutions, government bodies, education institutions, marketing agencies, etc.
The Windows malware campaign was spotted by Cybersecurity Researchers, Unit42, based in Palo Alto.
How To Stay Safe
Currently, it is advised to not open any word document similar to the one mentioned above. Also, don’t enable ‘content’ in MS Word and only open suspicious docs using Office 365 as Macros can’t be enabled in it.
Malware attacks have seen a significant rise in recent years. From pirated Game of Thrones to Microsoft Word documents, everything that has the potential for directing heavy traffic is being laced with Malware.
Several Ransomware has also caused havoc, particularly in the industrial engineering industry, causing hundreds of thousands of dollars in damage. On top of that, several new types of Ransomware are also on the rise, disguising themselves as PC enhancing mods while encrypting away user files.
In today’s fast-evolving world it is best advised to stay one step ahead to stay safe.