The latest in a series of online attacks is ‘Aggah’, a global malware campaign with roots in the Middle East. The Windows Malware comprises a commodity Trojan script being spread via an infected Microsoft Word Document. The perpetrators are tricking users into downloading and activating the malicious code using RevengeRAT.
Since RevengeRat is comprised of several open source Trojan builds, it is very difficult to pinpoint the actual spammer. The people involved in this are using the alias name ‘haggah’ to carry out their operation.
Windows Malware: How ‘Aggah’ Works?
A malware attack in the Aggah campaign consists of three main steps.
The malware in the Aggah campaign works very discreetly and in a large number of steps initiated by a macro.
The Weakness Being Exploited
In Microsoft Open Office XML (OOXML), the older format docs (.doc, .ppt) has been replaced with the new XML based format (.docx,.pptx).
The OOXML files are made up of ZIP archives, called as ‘Parts’, which are responsible for rendering a document when it is opened.
Rendering of Parts is regulated by ‘Properties’ which may or may not reference public shared resources using URLs. This can be exploited by hackers. Whenever such a document is opened it leaves room for hackers to load a malicious script instead of the actual document via Template Injection.
The latest Windows Malware uses the following steps to exploit the above-mentioned feature:
This malware campaign is targeting financial institutions, government bodies, education institutions, marketing agencies, etc.
The Windows malware campaign was spotted by Cybersecurity Researchers, Unit42, based in Palo Alto.
How To Stay Safe
Currently, it is advised to not open any word document similar to the one mentioned above. Also, don’t enable ‘content’ in MS Word and only open suspicious docs using Office 365 as Macros can’t be enabled in it.
Malware attacks have seen a significant rise in recent years. From pirated Game of Thrones to Microsoft Word documents, everything that has the potential for directing heavy traffic is being laced with Malware.
Several Ransomware has also caused havoc, particularly in the industrial engineering industry, causing hundreds of thousands of dollars in damage. On top of that, several new types of Ransomware are also on the rise, disguising themselves as PC enhancing mods while encrypting away user files.
In today’s fast-evolving world it is best advised to stay one step ahead to stay safe.
