Serverless InfoStealer delivered in Est European Countries
Threat actors' consistency over time represents an indication of effectiveness and experience, resulting in an increasing risk for targeted companies.
The Yoroi Malware ZLAB is tracking the threat actor Aggah (TH-157) since 2019, along with PaloAlto UNIT42, HP and Juniper Networks, and the persistency of its malicious operation over time reveals a structured information stealing infrastructure, a worldwide campaign capable of quickly varying its distribution technique.
We discovered new data theft and reconnaissance operations targeting multiple victims worldwide, including Ukraine, Lithuania, and Italy. The whole campaign impacted hundreds of victims and lasted for two months. CERT Yoroi was able to track the malware distribution infrastructure which was abusing the Bitbucket code repository infrastructures to evade detection mechanism, URL and domain reputation security check.
The following article describes how TH-157 conducted this new wave of attacks along with all the indicators needed by security teams to hunt down active intrusions.
This TH-157 campaign leverages multi-stage infrastructure decoupling mechanisms to achieve an elevated level of resilience to survive takedowns. The whole infection process counts 9 steps to deliver the final payload, but it is able to achieve persistence on the target machine even earlier.
Figure 1: Campaign attack chain
|Threat||Aggah Campaign November 2021|
|Brief Description||Malicious PPA macro dropper|
Differently from many other Office-based attacks, the Aggah infection starts with a weaponized powerpoint document. In this case the malicious routine will start upon closing the document using the “autoclose” macro. This routine is commonly used to bypass automated sandboxing execution, because, unlikely from the “autoopen” function, the “autoclose” is ran only an instant before the Office application is closing, and not all the automated sandboxes check for this behavior.
Figure 2: Macro execution
As confirmed by known TTPs, Aggah campaign uses a “bitly” link as medium to redirect the infected host to a blogspot page containing malicious VBScript code that will be executed abusing a LOLBIN.
In the first part of the Visual Basic script, the sample exploits the CLSID of Windows Script Host Shell Object to run the command which subsequently will create a file named “hulalalMCROSOFT.vbs” .
Figure 3: Malicious Blogspot VBScript code
Next, it gathers another VBscript utility from the BitBucket code repository service, a well-known platform used to develop code in a collaborative way.
The newly downloaded script is stored in the infected machine filesystem at the path “C:\Users\Public\xxx1.txt” and contains two layers of obfuscation: first the content is reversed and then Base64 decoded, a characteristic TTP of TH-157 obfuscation tools.
Figure 4: File “hulalalMCROSOFT.vbs”
The second layer of obfuscation is composed by other two distinct modules:
- The first is another piece of Visual Basic script containing a long Base64 dirty buffer , starting with the chars “TVqQ” corresponding to “MZ”, the magic header of the Portable executable files.The second is a powershell snippet instructed to clean and execute the dirty PE in the first module.
Figure 5: Powershell snippet
At this point, the control of the malicious process passes to the Powershell script, and the PE, which actually is a .NET assembly library is immediately loaded in memory, invoking the DLL’s “Run” method.
Figure 6: .NET Library
Moreover, the “Run” method, gather two additional payloads: the first from (hxxp://crypters[.]coolpage[.]biz/rumps/Rumppp[.]txt) and the second one from (hxxps://bitbucket[.]org/!api/2[.]0/snippets/hogya/KpMMLg/a2975578cff84cf6c198f055b21a7a6e3f14cd15/files/rotyh12)
The first payload (text) will be loaded in memory and the “Run” method invoked, as in the previous step, but two arguments will be passed, the first is the path to “aspnet_regbrowsers.exe”, a legit Microsoft tool, and the second the Base64 decoded payload.
Figure 7: .NET Injector
Then, the “Execute” method will perform the process hollowing technique based on the WinAPI primitives CreateProcessW NtUnmapViewOfSection ,VirtualAlloxEx, ReadProcessMemory, WriteProcessMemory, GetThreadContext, SetThreadContext, and ResumeThread. The ultimate injected payload is an obfuscated version of the notorious info stealer AgentTesla, capable of exfiltrating sensitive information from victim machine such as browser session cookies, keystrokes, saved passwords, and to silently spy on victim screen.
Figure 8: AgentTesla Payload
Besides the description of the main infection chain, the Aggah campaign uses a malleable persistence method. Thanks to a scheduled task pointing to a public blogspot page, the threat actor is able to quickly vary the payload and the delivery infrastructure. The task will start every 80 minutes and the MSHTA tool will retrieve another blogspot page to initiate another backup dropchain, potentially with additional payload.
Figure 9: Scheduled task evidence
The Bitbucket Distribution Infrastructure
The new distribution infrastructure uses BitBucket, a legit website for source code hosting, used to replace for example archive.org in the “WayBack” campaign widely described in our last report about Aggah. In this campaign we found mostly two accounts operating approximately since October 2021.
- hxxps://bitbucket.org/hogya/workspace/snippets/ (hogya - harsh singh)
- hxxps://bitbucket.org/choasknight/workspace/snippets/ (choasknight)
In detail, these two BitBucket accounts were abused to deliver over 30 distinct agent tesla malware attacks, heavily obfuscated as we previously deepened.
Figure 10. Abused bitbucket code snippets
Accessing and dissecting the data inside command-and-control infrastructure of the agent tesla samples delivered during this Aggah campaign, we noticed an interesting polarization on geo-distribution of the campaign targets: an unusual spike in the CIS countries (Ukraine, Lithuania, Belarus, Russia), and Indonesia. Now, we have no clear interpretation of such unusual polarization, but many geopolitical tensions running across the UE borders are effectively increasing in the last months of 2021 and we can’t exclude TH-157 may be selling its services or partnering with other unknown parties.
Figure 11. Aggah’s targets distribution
This TH-157 revealed a renewed capability to abuse high reputation infrastructure all around the world to threaten private companies, conduct reconnaissance operations, and steal data from unaware personnel. This new malware delivery mechanism investigated by Yoroi’s Malware ZLAB was abusing the notorious Bitbucket code repository cloud services to evade traditional antimalware protection and domain reputation safe checks, recalling us the limits of such defensive approaches.
Preventing industrial property theft and intrusions potentially able to escalate in destructive extortions require advanced detection technologies such automated malware sandboxes like Yomi Hunter, and constant eyes on both endpoints and network through endpoint agents like Kanwa EDR solution, armed by constantly up-to-date intelligence coming from high level threat research.
Indicator of Compromise
Bitbucket Payloads Links:
C2 Panels (agent tesla):
This blog post was authored by Luigi Martire, Carmelo Ragusa, and Luca Mella of Yoroi Malware ZLAB