In March 2019, Unit 42 began looking into an attack campaign that appeared to be primarily focused on organizations within a Middle Eastern country. Further analysis revealed that this activity is likely part of a much larger campaign impacting not only that region but also the United States, and throughout Europe and Asia. In this blog, we outline our findings around a new campaign we’ve named the Aggah Campaign based on the actor’s alias “hagga”.
In November 2018 the Chafer threat group targeted a Turkish government entity reusing infrastructure that they used in campaigns reported earlier in 2018. Unit 42 has observed Chafer activity since 2016, however, Chafer has been active since at least 2015. This new secondary payload is Python-based and compiled into executable form using the PyInstaller utility. We’ve also identified code overlap with OilRig’s Clayside VBScript but at this time track Chafer and OilRig as separate threat groups. We have named this payload MechaFlounder for tracking purposes.
Since at least 2015, a suspected South Asian threat grouping known as BITTER has been targeting Pakistan and Chinese organizations using variants of a previously unreported downloader. We have named this malware family ArtraDownloader. Starting in September 2018 and continuing through the beginning of 2019, BITTER launched a wave of attacks targeting Pakistan and Saudi Arabia. This is the first reported instance of BITTER targeting Saudi Arabia.
Unit 42 monitors the continued evolution Upatre and its anti-analysis Techniques.
Unit 42 investigates the RANCOR group’s use of DDKONG and PLAINTEE malware families to deliver targeted espionage attacks in South East Asia
Unit 42 observes the Patchwork group continuing to use weaponized legitimate documents to deliver their updated BADNEWS payload.