Security News > 2021 > August > WordPress Sites Abused in Aggah Spear-Phishing Campaign

Threat actors are using compromised WordPress websites to target manufacturers across Asia with a new spear-phishing campaign that delivers the Warzone RAT, a commodity infostealer available widely for purchase on criminal forums, researchers have found.

The threat group Aggah, believed to be affiliated with Pakistan and first identified in March 2019, is delivering the RAT in a campaign aimed at spreading malware to manufacturing companies in Taiwan and South Korea, according to new research from threat detection and response security firm Anomali.

"Spoofed business-to-business email addresses against the targeted industry is activity consistent with Aggah," Tara Gould and Rory Gould from Anomali Threat Research wrote in a report on the campaign published Thursday.

Researchers from Palo Alto Network's Unit 42 first discovered Aggah in March 2019 in a campaign targeting entities in the United Arab Emirates that later was identified as a global phishing campaign designed to deliver RevengeRAT, researchers said.

The latest Aggah spear-phishing campaign begins with a custom email masquerading as "FoodHub.co.uk," an online food delivery service based in the United Kingdom, researchers said.

"Throughout this campaign, we observed legitimate websites being used to host the malicious scripts, most of which appeared to be WordPress sites, indicating the group may have exploited a WordPress vulnerability."

News URL

https://threatpost.com/aggah-wordpress-spearphishing/168657/