Compromised WordPress Sites Deliver RATs in Aggah's Spear-Phishing Campaign

Compromised WordPress Sites Deliver RATs in Aggah’s Spear-Phishing Campaign

A suspected Pakistan-linked group uses compromised WordPress sites to deliver Warzone RATs to Taiwanese and South Korean manufacturers.

A new spear-phishing campaign is targeting manufacturers in Asia with a weaponized version of the Warzone RAT. The targeted websites are usually compromised WordPress apps.

Aggah, the threat group that carried out the operations of the #MeToo campaign, is believed to be based in Pakistan.

The campaign, which began in February, targeted Taiwanese and South Korean manufacturing companies. It used RATs to trick employees into transferring money to offshore accounts.

The campaign uses spoofed email addresses appearing to originate with legitimate customers of the manufacturers.

“Spoofed business-to-business (B2B) email addresses against the targeted industry is activity consistent with Aggah,” Tara Gould and Rory Gould from Anomali Threat Research wrote in a report on the campaign published Thursday.

Researchers from Palo Alto Network’s Unit 42 first discovered Aggah in March 2019 in a campaign targeting entities in the United Arab Emirates that later was identified as a global phishing campaign designed to deliver RevengeRAT, researchers said.

The group typically aims to steal data from its targets.

Researchers suspect it is affiliated with Gorgon Group, a Pakistani group known for targeting Western governments. While this link has not been proven, but researchers tend to agree that the Urdu-speaking group originated in Pakistan.

Aggah also targeted Taiwanese companies such as FomoTech and Fon-star International Technology and Korean Hyundai Electric.

The spear-phishing campaign started with an email that looked like they came from FoodHub, a food delivery service in the UK. The email contains an attached PowerPoint file “Purchase order 4500061977,pdf.ppam” with obfuscated macros. Macros execute a JavaScript code from a known compromised website,[.]html.

“ is the legitimate website for a hotel in India that has been cmpromised to host malicious scripts,” they said. “Throughout this campaign, we observed legitimate websites being used to host the malicious scripts, most of which appeared to be WordPress sites, indicating the group may have exploited a WordPress vulnerability.”

The script in its turn communicates with[.]html, which is another compromised website for a food distributor based in Afghanistan.

Eventually, the ultimate payload is downloaded, the Warzone RAT, which is available for purchase on the dark web.

“The RAT reuses code from the Ave Maria stealer.” Its capabilities include privilege escalation, keylogging, downloading and executing files, remote shell, file manager, and persistence on the network, researchers noted.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.