Home Malware Programs Malware Aggah


Posted: April 25, 2019

Aggah is a Trojan downloader that may install a Remote Access Trojan (otherwise known as a RAT) or conduct other attacks against your computer. Threat actors are distributing this Trojan through corrupted Word documents that will prompt for enabling their additional content. Users can scan any files from suspicious sources for letting anti-malware products identify the threat or remove Aggah afterward with the same software.

The Ravenous RATs That Documents Wield

The misuse of text documents' features tends to be one of the easiest vehicles for Trojans to gain access to a PC or smartphone. Previous, still-recent attacks utilizing threats like file-locking Trojans from Ransomware-as-a-Service families and state-sponsored spyware offer subtle exploits that the readers fail at noticing after clicking. In many cases, such as Aggah, the price that they pay is tantamount to 'handing the keys' of their computer over to an unseen attacker.

Aggah is circulating through corrupted, specially-designed Word documents, and is serving as the installer for the RevengeRAT. The RevengeRAT is a high-level threat that comes with features for helping threat actors control the UI, exfiltrate system information and credentials, and install other software. Aggah drops it after initiating a non-consensual download of JavaScript that the threat actor is hosting on a Blogspot site.

Besides its downloads, malware experts can confirm Aggah's conducting anti-security attacks along the way, such as disabling Windows Defender. However, before it does any of these things, the user has to agree to several prompts, which are the only warnings of the attack. The Word file will ask that readers 'view in desktop,' 'enable editing,' and 'enable content' before loading the rest of the payload. This caveat applies to all modern versions of Word, which disable advanced, macro-based content by default – due to the security risk.

Getting Your Revenge on the RevengeRAT's Enabler

Aggah, which gets its title from the 'Haggah' alias of its threat actors, is, theoretically, capable of distributing more threats than just that Remote Access Trojan. Other features that are working in its payload include various filesystem-oriented, shell commands, as well as Registry changes that can hamper both security utilities and productivity software like Microsoft Office definitively. The second of these inclusions could be Aggah's covering the tracks of its infection vectors, which can give it more time for spreading throughout local networks.

Updating Word software and leaving macros and similarly-advanced content inactive will stop both Aggah and an incredible breadth of other drive-by-download attacks. Malware analysts recommend always leaving macros off unless you know and trust the sender of a document. Similar exploits may use other products, such as outdated versions of Adobe's PDF Reader, without requiring any consent.

The industries at risk from Aggah's current attacks include financial companies such as banks, marketing companies, and unspecified segments of both the education sector and national governments. Windows users should have all environments appropriate protected by anti-malware programs that should be capable of deleting Aggah without letting its downloads trigger.

Aggah uses a template-injecting tactic for turning the building blocks of file formats like DOCX documents and PPTX spreadsheets into launching pads for its attacks. Anyone who isn't willing to play the host to a RevengeRAT infection should remember that modern software has vulnerabilities, too, just like the old equivalents.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Aggah may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.