The email gz attachment contains an exe. This, if opened, triggers the malware infection. Stolen data is exfiltrated via Telegram.
Yoroi-ZLAB: Aggah cybercrime group is still alive and evolving, with new TTPs, Included the use of a LokiBot varian as delivered malware
The cybercrime Aggah campaigns are still alive and evolving. It has been discovered by Yoroi-ZLab cyber security experts. The researchers started deepening inside the Roma225 Campaign and went on with the RG Campaign, contributing to the joint effort to track the offensive activities of this threat actor. Recently, they spotted other attack attempts directed to some Italian companies operating in the Retail sector. For this reason, the team decided to dissect this campaign, attributed to Aggah, to track its latest variations. This time the cyber criminals chose as the delivered malware a LokiBot variant.
The assessment on the threat group by the cyber security experts
According the cyber security experts, the Aggah actor keeps threatening organizations all around the world. During the time it built a custom stager implant based on legit third parties services, such as Pastebin and BlogSpot, abused by the cybercrime to manage the infected hosts and to run its botnet without renting a server. During the last year Yoroi-ZLab contributed to the joint effort to track its activities, along with PaloAlto’s Unit42, and after a year researchers can confirm it is still active and dangerous. At the moment it is not clear if this actor is just selling its hacking services or running its own campaigns, or both. At the moment, there is no hard evidence confirming or denying its potential relationships with the Gorgon APT, and factors like the different nationalities and the small amount of victims connected to December Aggah activities, does not help to exclude it.