Aggah
Aggah is a Trojan downloader that may install a Remote Access Trojan (otherwise known as a RAT) or conduct other attacks against your computer. Threat actors are distributing this Trojan through corrupted Word documents that will prompt for enabling their additional content. Users can scan any files from suspicious sources for letting anti-malware products identify the threat or remove Aggah afterward with the same software.
The Ravenous RATs That Documents Wield
The misuse of text documents' features tends to be one of the easiest vehicles for Trojans to gain access to a PC or smartphone. Previous, still-recent attacks utilizing threats like file-locking Trojans from Ransomware-as-a-Service families and state-sponsored spyware offer subtle exploits that the readers fail at noticing after clicking. In many cases, such as Aggah, the price that they pay is tantamount to 'handing the keys' of their computer over to an unseen attacker.
Aggah is circulating through corrupted, specially-designed Word documents, and is serving as the installer for the RevengeRAT. The RevengeRAT is a high-level threat that comes with features for helping threat actors control the UI, exfiltrate system information and credentials, and install other software. Aggah drops it after initiating a non-consensual download of JavaScript that the threat actor is hosting on a Blogspot site.
Besides its downloads, malware experts can confirm Aggah's conducting anti-security attacks along the way, such as disabling Windows Defender. However, before it does any of these things, the user has to agree to several prompts, which are the only warnings of the attack. The Word file will ask that readers 'view in desktop,' 'enable editing,' and 'enable content' before loading the rest of the payload. This caveat applies to all modern versions of Word, which disable advanced, macro-based content by default – due to the security risk.
Getting Your Revenge on the RevengeRAT's Enabler
Aggah, which gets its title from the 'Haggah' alias of its threat actors, is, theoretically, capable of distributing more threats than just that Remote Access Trojan. Other features that are working in its payload include various filesystem-oriented, shell commands, as well as Registry changes that can hamper both security utilities and productivity software like Microsoft Office definitively. The second of these inclusions could be Aggah's covering the tracks of its infection vectors, which can give it more time for spreading throughout local networks.
Updating Word software and leaving macros and similarly-advanced content inactive will stop both Aggah and an incredible breadth of other drive-by-download attacks. Malware analysts recommend always leaving macros off unless you know and trust the sender of a document. Similar exploits may use other products, such as outdated versions of Adobe's PDF Reader, without requiring any consent.
The industries at risk from Aggah's current attacks include financial companies such as banks, marketing companies, and unspecified segments of both the education sector and national governments. Windows users should have all environments appropriate protected by anti-malware programs that should be capable of deleting Aggah without letting its downloads trigger.
Aggah uses a template-injecting tactic for turning the building blocks of file formats like DOCX documents and PPTX spreadsheets into launching pads for its attacks. Anyone who isn't willing to play the host to a RevengeRAT infection should remember that modern software has vulnerabilities, too, just like the old equivalents.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.