Threat Group Aggah Targets Industries Via Spear-Phishing Campaigns


A spear-phishing attack that seems to have commenced in early July 2021, targeting various manufacturing industries in Asia has been identified and reported by Anomali Threat Research. 

During this campaign, the strategies, methods, and procedures detailed in the report correspond to the threat group Aggah. The investigation further unveiled several PowerPoint files with harmful macros that employed MSHTA to launch a PowerShell script to charge hex-encoded payloads. Through the findings as well as the analysis based on the campaign's TTP, researchers evaluated that the threat group behind the security incident probably is Aggah. 

Cybercriminals employed numerous vulnerable WordPress websites to target Asian producers with a new operation for phishing attacks that deliver, the Warzone RAT, a freight for sale on crime forums, researchers stated. 

Warzone is a malware commodity having hacked versions available on GitHub. The RAT utilizes the Ave Maria stealer's code repeatedly. Warzone RAT's features include scale privilege, keylogging; remote shelling, file download and execution of files, file managers, and network endurance, as per the researchers.

Based on the recent research by Anomali threat detection and security agency, the threat organization Aggah, which is believed to be associated with Pakistan and was identified for the first time in March 2019, has delivered the RAT to manufacturing enterprises in Taiwan and South Korea. 

Aggah is an information-based threat group discovered by researchers from Palo Alto Network’s Unit 42, for the very first time. The researchers believed the activity to be a campaign against organizations in the UAE. In-depth research by the very same team revealed that it was a global Revenge Rat Phishing Campaign.

“Spoofed business-to-business (B2B) email addresses against the targeted industry is activity consistent with Aggah,” Tara Gould and Rory Gould from Anomali Threat Research wrote in a report on the campaign published Thursday 12th of August 2021. 

Aggah, which normally seeks to steal information from targets, was also previously considered to be affiliated with the Gorgon Group: a Pakistani organization recognized for targeting the Western governments. This relationship has still not been confirmed yet, however, the Anomali researchers believe that the Urdu-speaking group came from Pakistan. The most recent campaign of Aggah included the Taiwan-based manufacturing company, Fon-star International Technology; Fomo Tech, a Taiwanese engineering company, and the Korean power plant, the Hyundai Electric. 

Researchers have indicated that the latest campaign of Aggah for spear phishing began with a bespoke e-mail pretending to be from "," a UK-based food delivery service. “The email body includes order and shipping information as well as an attached PowerPoint file named 'Purchase order 4500061977, pdf.ppam' that contains obfuscated macros that use mshta.exe to execute JavaScript from a known compromised website,[.]html,” researchers stated. 

“ is the legitimate website for a hotel in India that has been compromised to host malicious scripts,” they said. “Throughout this campaign, we observed legitimate websites being used to host the malicious scripts, most of which appeared to be WordPress sites, indicating the group may have exploited a WordPress vulnerability.”