Threat Research

Crypters And Tools. Part 2: Different Paws — Same Tangle

PTsecurity-ESC
Crypters And Tools. Part 2: Different Paws — Same Tangle

The article discusses the ongoing activities of several threat actor groups utilizing Crypters And Tools. Notably, it highlights the persistence of the Aggah group, which continues attacks despite prior claims of inactivity. The interconnectedness of various groups, such as TA558 and Blind Eagle, is examined, alongside their methodologies, including phishing and diverse malware utilization. The paper emphasizes the need for accurate attribution in security research, cautioning against misattributing recurring features to specific actors. Affected: Aggah, TA558, Blind Eagle, PhantomControl, PhaseShifters, UAC-0050

Keypoints :

  • At least six threat actor groups employ Crypters And Tools for attacks.
  • The Aggah group remains active, counter to earlier reports of its cessation in 2022.
  • TA558 has expanded its targets from the tourism sector in Latin America to global regions.
  • Blind Eagle targets governmental entities primarily in South America.
  • Common malware used by these groups includes Agent Tesla, Remcos RAT, and AsyncRAT.
  • PhantomControl has utilized compromised websites for malware distribution.
  • Misattribution of recurring features in attacks can lead to inaccurate threat actor characterization.
  • Documented overlap in TTPs (Tactics, Techniques, and Procedures) exists among these groups.
  • Several users affiliated with these groups use Crypters And Tools, expanding the threat landscape.
  • Recent Aggah campaigns indicate a resurgence of activity into 2025 after previous inactivity.

MITRE Techniques :

  • T1566: Phishing – Used to distribute malware to victims.
  • T1071: Application Layer Protocol – Leveraged in communication with C2 servers.
  • T1203: Exploitation for Client Execution – Malicious documents exploit vulnerabilities.
  • T1041: Exfiltration over Command and Control Channel – Data is exfiltrated through APIs.
  • T1032: Data Encoding – Base64 encoding used for the delivery of scripts.
  • T1170: DGA (Domain Generation Algorithms) – Used by threat groups to obscure command and control URLs.

Indicator of Compromise :

  • [URL] http://104.168.7.38/xampp/knct/nicefeelingwithbestgoodthinksfor.txt
  • [URL] http://104.168.7.38/xampp/knct/Lightgreatloversonhereforlovingpeoplesalot.hta
  • [SHA-256] 55ea07bbd700488fd6330d289f210b2da119401a9e27009472d1afec2f6c6339
  • [MD5] 5fe3f4e4ab026fbcd0b595c7b35eb3b3997cae0fc8b92728b0bd556a3ec3c092
  • [IP Address] 62.60.226.64

Full Story: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/crypters-and-tools-part-2-different-paws-same-tangle