Home / Industry

Profiling the Threat Actor Known as “Hagga” and His Work

Agent Tesla, an infamous data stealer, has been plaguing Internet users since 2014. Much has been revealed about the malware, but the world didn’t come to know about one of its more adept campaign perpetrators—Hagga—until last year.

What the World Knows about Hagga So Fa

Hagga is believed to have been using Agent Tesla, 2021’s sixth most prevalent malware, to steal sensitive information from his victims since the latter part of 2021. Latest research published several indicators of compromise (IoCs) related to his infrastructure, including four domains and 18 IP addresses.

We used these data points to find out more about Hagga and his criminal infrastructure. Our in-depth analysis of WHOIS, Domain Name System (DNS), and other network records uncovered:

  • An additional IP address that could be part of Hagga’s malicious network
  • Four Duck DNS-hosted malicious domains that could be connected to the threat
  • 100 subdomains containing the string “cdec22” similar to the possibly connected subdomain artifacts uncovered
  • More than 300 domains containing the strings “statusupdate” and “heavy-dutyindustry” akin to the domains identified as threat IoCs

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What Hagga Might Currently Be Up To?

Using the published IoCs as a jump-off point, we scoured the DNS for other artifacts that organizations should look out for.

WHOIS history searches for the four domains identified as threat IoCs showed that three of them were created in the latter part of 2021, while one is a newly registered domain (NRD). The four domains’ records point to Iceland as their registrant country. Hagga also seemed to favor Namecheap as registrar.

DNS lookups for the four domain IoCs yielded an additional IP address—37[.]252[.]1[.]63—which isn’t currently part of publicly accessible data sources. While it isn’t currently tagged “malicious,” its connection to one of the IoCs makes it suspicious and thus worth monitoring at the very least.

Contrary to the sole registrant country identified for the four domain IoCs, the 18 IP addresses were spread across five different countries, none of which were geolocated in Iceland.

In fact, close to half of the 18 IP addresses pointed to U.S. locations, followed by Vietnam (28%), the Netherlands and Pakistan (11% each), and France (6%).

Reverse IP lookups for the IP address IoCs uncovered an additional four Duck DNS-hosted domains, all of which were tagged “malware hosts” by Threat Intelligence Platform (TIP) malware checks. These are:

  • cdec22[.]duckdns[.]org
  • abotherrdpajq[.]duckdns[.]org
  • mobibagugu[.]duckdns[.]org
  • warnonmobina[.]duckdns[.]org

To further expand our list of artifacts and possible IoCs, we searched for other subdomains (hosted on platforms akin to Duck DNS) and domains containing similar strings (i.e., “cdec22,” “abotherrdpajq,” “mobibagugu,” and “warnonmobina” and “workflowstatus,” “statusupdate,” “newbotv4,” and “heavy-dutyindustry”). Domains & Subdomains Discovery provided a list of 100 subdomains with the text string “cdec22.” While none of them are considered malicious to date, their similarities with the identified artifacts should render them worthy of monitoring.

The tool also turned up 305 domains with the strings “statusupdate” and “heavy-dutyindustry,” three of which—heavy-dutyindustry[.]co, jp-statusupdate[.]com, and statusupdate-loanapproval[.]com—have been dubbed “malware hosts,” apart from the IoC heavy-dutyindustry[.]shop to date.


Given the threat that Agent Tesla poses—the theft of sensitive information and the repercussions that come with it (e.g., reputational, compliance-related, and financial damages to breached companies)—organizations would do well to block access to the IoCs and connected artifacts, especially the three domains found malicious, and at the very least monitor the suspicious web properties.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign