A new Aggah campaign that uses clipboard hijacking code to alter bitcoin addresses has been detected. Furthermore, this malware was discovered to be distributing a variety of malicious code files.
The new initiatives, according to analysts, are identical to previously identified Aggah activities.To host malicious materials, the organisation has used free sites such as Blogspot, Bitly, and usrfiles[.]com. Researchers discovered dangerous VBScript code in Blogspot URLs in early October. They later discovered a series of URLs containing VBScript and PowerShell commands for clipboard hijacking. This form of hijacking substitutes the victim’s bitcoin addresses with the attacker’s own. It also instals Trojan backdoor files that allow it to connect with dynamic DNS (DDNS) subdomains. RiskIQ researchers discovered seven different cryptocurrency addresses (Bitcoin, Ethereum, XMR, XLM, XRP, LTC, and Doge) used in the assaults.
Researchers discovered an email with the subject line “FW URGENT Request for information,” which communicated to a Bitly link, which sent users to the malicious Blogspot URL. It included VBScript, which may make registry alterations, set up scheduled actions for bitcoin address clipboard hijacking, and dump trojan and backdoor malware files onto a host machine.
Another discovery was Aggah’s connection to the Mana Tools malware distribution and command and control (C2) panel, which is used by the Hagga gang. The Mana Tools panel was hosted on the same IP address as the virus in the most recent Aggah campaign.
The Aggah threat organization is currently stealing cryptocurrency with a cunning clipboard hijacking scheme. To protect themselves from such assault efforts, businesses should use a dependable anti-malware solution and enable two-factor authentication for online accounts.