2 min

Palo Alto Networks Unit 42 security researchers have discovered that the Aggah campaign uses Bit.ly, BlogSpot, and Pastebin to spread variants of the RevengeRAT malware. RevengeRAT is a remote access tool.

According to the researchers, the Aggah campaign started with an e-mail that was sent on 27 March, writes Security Intelligence. The email seemed to come from a large financial company and told recipients that their account was encrypted.

The e-mail also contained a rogue Word document, which tried to load an Object Linking and Embedding (OLE) document via template injection. The OLE document contained a macro that decoded and executed a Bit.ly that linked to a BlogSpot message. The message then used Pastebin messages to download additional scripts, which in turn download a variant of the RevengeRAT malware.


RevengeRAT was first distributed on underground forums in June 2016 by an Arabic-speaking malware maker. The malware didn’t cost anything back then. Two months later, the creator released a more advanced version of the malware. Since then, researchers have detected several campaigns around the remote access tool.

For example, RSA saw a campaign in October 2017 in which malspam was used to deliver the malware. Cofense discovered an attack in February this year that also used BlogSpot messages and Pastebin to infect users with RevengeRAT.

The new Aggah campaign focuses on various countries. Initially, Palo Alto Networks noted that the Aggah campaign targeted two countries in the Middle East. However, later analyses showed that the campaign is much larger and has at least ten branches in the United States, Europe and Asia in mind.


It is possible for security professionals to protect their organisations from campaigns such as the Aggah campaign. This can be done by using ahead-of-threat detection. This method helps security teams detect potentially malicious domains before cybercriminals use them in their attack campaigns.

It is also recommended to use VBA editor and other tools to check PDFs, Microsoft Office documents and other attachments in emails for malicious macros.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.