Aggah: Not Exactly APT
From the illuminating malware adversaries series.
Update 7 Feb 2020: As some folks pointed out, Aggah apparently sells or freely gives malware to Nigerian actors which jives well with the data we uncovered. The actual Aggah is indeed Pakistani and utilizes commodity malware in his campaigns too. Names have been edited below to hopefully thwart any disambiguation.
Recently it was suggested that a malware threat actor group nicknamed by researchers as “Aggah” might have (albeit inconclusive) ties to the Gorgon Advanced Persistent Threat (APT) group. Historically, the Gorgon Group is attributed to cyber operations conducted by Pakistani actors. As source intelligence collected by MalBeacon indicates, the reported Lokibot PWS command-and-control servers were in fact administered by low-tier actors operating out of Nigeria.
The malware C2 in question was using the gate URL at:
hXXp://107.175.150[.]73/~giftioz/.cttr/fre.php
Since November 2019, we have observed callbacks from the following Lokibot C2 admin URL:
hXXp://107.175.150[.]73/~giftioz/.cttr/vob.php
Although the adversaries changed the filename from PvqDq929BSx_A_D_M1n_a.php to vob.php perhaps as a lame attempt to obfuscate the C2 admin path, MalBeacon was able to enumerate the changed URL. No additional modifications were made to the standard Lokibot admin login screen despite this name change.
The source IP addresses from these beacon callbacks do not appear to be VPN exit nodes. Due to the amazing “to the doorstep” location accuracy available in Hyas’ Insight, we determined that Aggah grants access to these Lokibot panels to other Firefinches, this one based in Lagos, Nigeria. MalBeacon tracks this actor as Freebird Firefinch due to them taking malware handouts from Aggah. We previously reported on this Nigerian’s cousin: the Pija-Droid Firefinch.
Freebird Firefinch seems to enjoy some of the finer things in life like an iPhone running iOS v12 and a laptop installed with the latest Windows 10 OS — observed devices utilized to administer his Lokibot botnets. Like most casual Internet users, his preferred web browsers are Safari while mobile and Chrome during desktop sessions.
MalBeacon assesses with high confidence that the domains below were also utilized for malware C2 by the Freebird Firefinch, Aggah, or their associated cyber-crime partners. In addition to Lokibot PWS, this threat actor group currently has access to and has previously used Formbook Infostealer for malware campaigns in the wild.
chatwithnow[.]asia
edificiosafico.com[.]ar
faithyulopuiytsdetrilp[.]tk
filmmagapp[.]ir
flood-protection[.]org
frenddizoni[.]org
jabtuayegakalko[.]com
microzoftt[.]com
tahetah[.]ir
higcaf[.]com
