Rewterz Threat Alert: DarkHydrus APT Uses Google Drive to Send Commands to RogueRobin Trojan

Monday, January 21, 2019







DarkHydrus APT group emerges with a new variant of the RogueRobin Trojan and uses Google Drive as an alternative command and control (C2) communication channel.


Mostly targeting Middle East, the campaign uses Excel documents as a bait which are embedded with malicious VBA code (macro).


The document has a name written in Arabic alphabet ‘Al-faharis and Al-itlaa’. As soon as the document is opened, VBA macro is triggered to run.


That macro drops 12-B-366[.]txt to ‘%TEMP%’ directory first, then leverages regsvr32[.]exe to run 12-B-366[.]txt which is a HTA (HTML application) file, which will drop a PowerShell script to %TEMP%\\ WINDOWSTEMP[.]ps1. Finally, the PowerShell script drops %TEMP%\\OfficeUpdateService[.]exe for execution by extracting Based64-encoded content.

DarkHydrus compiled RogueRobin with an extra command, that allows it to use Google Drive as a secondary method for sending their instructions. The command is called ‘x_mode’ and it is disabled by default. However, the adversary can turn it on via DNS tunneling channel, which is the main communication line with the C2 server.

It also detects existence of virtual machine and sandbox before malicious payload is triggered. Next, the backdoor will collect host name and send collected information to C2 server through DNS tunnel. queryTypesTest function is created for DNS tunnel communication. Then, the backdoor tries to retrieve commands from C2 server via DNS tunnel, then through HTTP if failed.


After C2 commands is retrieved successfully, commands are dispatched by taskHandler.






Code Execution









  • akdns[.]live
  • akamaiedge[.]live
  • edgekey[.]live
  • akamaized[.]live
  • ajpinc[.]akamaiedge[.]live
  • 0ffice365[.]life
  • 0ffice365[.]services
  • 0nedrive[.]agency
  • akamai[.]agency
  • akamaiedge[.]services
  • azureedge[.]today
  • cloudfronts[.]services
  • corewindows[.]agency
  • microsoftonline[.]agency
  • nsatc[.]agency
  • onedrive[.]agency
  • phicdn[.]world
  • sharepoint[.]agency
  • skydrive[.]agency
  • skydrive[.]services
  • t-msedge[.]world
  • trafficmanager[.]live






  • regsvr32[.]exe
  • OfficeUpdateService[.]exe



Malware Hash (MD5/SHA1/SH256)

  • 5c3f96ade0ea67eef9d25161c64e6f3e
  • 8dc9f5450402ae799f5f8afd5c0a8352
  • b108412f1cdc0602d82d3e6b318dc634
  • 039bd47f0fdb6bb7d68a2428c71f317d
  • 513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8
  • e068c6536bf353abe249ad0464c58fb85d7de25223442dd220d64116dbf1e022
  • 4e40f80114e5bd44a762f6066a3e56ccdc0d01ab2a18397ea12e0bc5508215b8
  • eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97
  • f1b2bc0831445903c0d51b390b1987597009cc0fade009e07d792e8d455f6db0
  • 5cc62ad6baf572dbae925f701526310778f032bb4a54b205bada78b1eb8c479c






It is recommended that users should strictly avoid opening emails and documents from untrusted sources and Microsoft Office macro should be disabled by default. Also, consider blocking the threat indicators at their respective controls.

Data Sheets

Corporate Brochure

Our Story



Managed Security

Upcoming Rewterz Trainings/Events

Rewterz News

  • 14, June 2019 Rewterz Threat Alert – Advanced Attack Tools Target Non-patched Systems to Distribute Cryptocurrency Miners
  • 14, June 2019 Rewterz Threat Advisory – HP Service Manager Multiple Security Bypass Vulnerabilities
  • 14, June 2019 Rewterz Threat Advisory – CVE-2019-1029 – Microsoft Lync Server 2010 / 2013 Denial of Service Vulnerability
  • 14, June 2019 Rewterz Threat Alert – “Love You” Malspam Phishing Campaign Reemerged

Copyright © Rewterz. All rights reserved.