A cybersecurity firm Yoroi has detailed a threat actor they have been monitoring for a few years called Aggah (TH-157).
The actor mostly targets the Italian manufacturing industry in various campaigns such as the Roma225 and the RG.
Previously, UNIT42 researchers were closely monitoring that actor and unveiled a large-scale operation targeting also victims in the United States, Europe, and Asia.
In one major operation that Yoroi observed, the threat actor delivered over 900 pieces of malware that have highly dangerous capabilities “enabling the threat actor to conduct both digital and environmental monitoring of their victims across the globe.”
Yoroi says it’s not clear if these operations are related to the Gorgon/Subaat threat group, but there are such indications.
The actor has been very active at least since 2019 and that this actor is most active in the European and Italian markets.
Recently, the Yoroi Malware ZLAB solution has successfully intercepted an operation that targeted various European and Italian organizations. Yoroi researchers determined the attack was part of a wider offensive campaign that lasted for months. The analysis of TTPs revealed that the actor has been carrying out new attacks since April 2021. Based on the evidence gathered during the attack infrastructure analysis, researchers were able to reconstruct at least six offensive waves part of the campaign.
Yoroi detected an evolution in the techniques of this threat actor. However, their strategic choice remains constant: a large amount of the malware delivery infrastructure is still serverless, Yoroi wrote.
In the last three months, Aggah started using different third-party services to gain entry into the target organizations, among them Internet Archive.
“Traditionally, the actor was heavily abusing Pastebin services to host and drop malicious code, but in the latest campaign, they abuse Internet Archive, the popular nonprofit service created to help the internet community to store pass on the today’s open knowledge to our heirs,” Yoroi wrote.
The actor used multiple accounts to hide their malicious code, which was stored in the repositories of the Internet Archive.
See more details on the tactics leveraged by the threat actor (T1583.006) in the original report.