Aggah Group. In the footsteps of a cybercriminal group from Pakistan
At the end of April 2022, our radars detected a sharp surge in the distribution of malicious Microsoft Office Excel documents, the opening of which leads to the download to the target system of malware «FormBook» - popular among the hackers stealer distributed by the «MaaS» business model («Malware-as-a-Service»).
The malicious campaign is clearly aimed at employees of the financial departments of the attacked organizations, since infected Excel documents with a «FormBook» on board are distributed as attachments to business-oriented emails and disguised as bank payment orders, money transfer receipts, salary statements, lists of counterparties, applications for transportation services of popular services delivery. In fact, the financial statements contained in the documents are a distorted image of a financial document borrowed from the Internet, which its recipients, in principle, are not destined to read.
The results of the analysis of the headers and language settings of malicious Excel documents and emails that got into our networks allow us to assert that this cyberattack is aimed at organizations located at least in the
UK
Germany
Turkey
Slovenia
Romania
Italy
Spain
Croatia
Czech Republic
Hungary
We are sure that the geography of cybercriminals' goals is much wider.
It is noteworthy that all detected infected Excel documents were created on the eve of their distribution, cleared of metadata and password protected, which allows cybercriminals to reduce the likelihood of detecting malicious mailing by antivirus protection tools installed on mail servers, due to the impossibility of signature analysis of embedded VBA macros.
However, running files in the sandbox exposes their true essence of stiller loaders «FormBook» and allows them to be divided into 2 groups according to the method of activating VBA macros for downloading malicious payload to the target system, the second of which surprised us very much with its venerable age by the standards of cyber security:
- a banal notification about the need to activate macros to ensure that an allegedly protected document can be read
- exploitation of the vulnerability of Microsoft Office documents discovered back in 2017 «CVE-2017-11882» using the corresponding PoC exploits placed in open access on the Internet
In both cases, the post-exploitation tool is loaded, performing additional exploration and fixing in the infected system by its own replication and adding to the startup, and then the stiller «FormBook» is directly launched by injecting it into one of the system processes with privileged access rights.
According to the infrastructure used for storing and delivering samples of «FormBook», the detected Excel documents can be divided into 2 clusters, the second of which allowed us to attribute the organizers of the malicious campaign:
- servers located primarily in
USA and 
Vietnam (64% and 15% respectively), as well as in 
France, 
Sweden, 
Netherlands, 
UK and 
Indonesia - web service for hosting and joint development of Git projects «BitBucket»
To connect to servers, white IP addresses are hardcoded in obfuscated VBA macros. Delegation of any domain names, DGA techniques and proxies are not used. At the same time, the incremental initialization of Excel documents each time leads to the loading of unique samples with «FormBook» from the same servers , which clearly indicates the use of automated malicious code cryptors on the backend side.
It is noteworthy that in addition to «FormBook», we managed to detect the presence of other popular stillers and RAT trojans on the servers used - «AgentTesla» and «NanoCore» - which a little later also began to be used as part of the detected malicious campaign and delivered to target systems under the guise of similar Excel documents.
A similar distribution legend, the behavior of pre-exploration and post-exploitation tools are observed during the initialization of Excel documents using the «BitBucket» web service for storing payloads. The only difference is the way the payload is loaded - the VBA macro saves an executable JavaScript loader file in the target file system, the code of which is hidden on a hidden sheet of a malicious Excel document, and runs it using the built-in Windows utility «Mshta» («Microsoft HTML Application Host»).
According to the commits of the project participants (and there are at least three of them), cybercriminals were engaged in finalizing the malicious program code of the payloads until April 20, and after 2 days the first samples of Excel documents with a «FormBook» appeared on our radars.
Further surfing on the web suggested to us that the organization of this malicious campaign is presumably 
Pakistani cybercrime group «Aggah Group» (TH-157), which first gained fame in October 2019 in connection with cyber attacks on organizations 
Ukraine, 
Lithuania and Italy.
At the same time, the «Aggah Group» has previously been seen using bundles of Microsoft Office PowerPoint documents and popular legitimate web services, such as «Blogspot» and «Pastebin», to deliver to target systems RAT trojans «WarzoneRAT», «RevengeRAT» and stiller «AZORult».
The group does not have a DLS website, it does not follow the current trend in the cybercrime world to blackmail its victims by publishing stolen trade secrets and rather specializes in the classic compromise of Internet banking systems and the theft of funds. We have not yet seen loud headlines of newspapers digital publications about the successes of the «Aggah Group», but our radar data confidently allow us to say that the group continues to aggressively conduct a cyberattack to this day, armed with popular and affordable trojans.