DarkHydrus was first discovered by experts at Palo Alto Networks’ Unit 42 team in July when the group carried out attacks aimed at a government agency in the Middle East.
Threat actors focused their activity in the Middle East, they used
On January 9, experts at 360’s Threat Intelligence Center (360 TIC) first observed attacks leveraging lure Excel documents written in Arabic.
“This malware is a lure Excel document with
The final stage malware is a backdoor written in C#.
According to the analysis made by malware researchers from Palo Alto Networks, the text file includes parts of a Windows Script Component (.SCT) file that once concatenated delivers a version of the RogueRobin trojan.
“The New_Macro function starts by concatenating several strings to create a PowerShell script that it will write to the file %TEMP%\WINDOWSTEMP.ps1. The function builds the contents of a second file by concatenating several strings together, but this second file is a .sct file that the function will write to a file %TEMP%\12-B-366.txt.” reads the analysis published by PaloAlto Networks.
The samples of the RogueRobin Trojan analyzed by Palo Alto Networks implement additional functionality, they include the use of
The main communication channel with the C2 server is the DNS tunneling.
“A command that was not available in the original PowerShell variant of RogueRobin but is available with the new C# variant is the x_mode. This command is particularly interesting as it enables an alternative command and control channel that uses the Google Drive API.” continues Palo Alto Networks. “The x_mode command is disabled by default, but when enabled via a command received from the DNS tunneling channel, it allows RogueRobin to receive a unique identifier and to get jobs by using Google Drive API requests.”
Once activated, the malware will receive via DNS tunneling from the C2 server a list of settings that allows it to interact with the Google Drive.
The commands are exchanged leveraging a file uploaded by the Trojan to Google Drive, every change to the is interpreted as a command.
The RogueRobin Trojan also checks is it is running in a virtualized environment or a sandbox before triggering the payload.
According to Palo Alto Networks, the malware also checks for common analysis tools running on the system and the presence of a debugger.
“Just like in the sandbox checks, the Trojan checks for an attached debugger each time it issues a DNS query; if it does detect
Experts speculate the DarkHydrus group continues its operations and improved its techniques and its arsenal. The recent attacks show DarkHydrus group is abusing open-source penetration testing techniques such as the AppLocker bypass.
(SecurityAffairs – hacking, DarkHydrus)