Rewterz Threat Alert: DarkHydrus APT Uses Google Drive to Send Commands to RogueRobin Trojan

Monday, January 21, 2019

SEVERITY: Medium

 

 

ANALYSIS SUMMARY

 

 

DarkHydrus APT group emerges with a new variant of the RogueRobin Trojan and uses Google Drive as an alternative command and control (C2) communication channel.

 

Mostly targeting Middle East, the campaign uses Excel documents as a bait which are embedded with malicious VBA code (macro).

 

The document has a name written in Arabic alphabet ‘Al-faharis and Al-itlaa’. As soon as the document is opened, VBA macro is triggered to run.

 

That macro drops 12-B-366[.]txt to ‘%TEMP%’ directory first, then leverages regsvr32[.]exe to run 12-B-366[.]txt which is a HTA (HTML application) file, which will drop a PowerShell script to %TEMP%\\ WINDOWSTEMP[.]ps1. Finally, the PowerShell script drops %TEMP%\\OfficeUpdateService[.]exe for execution by extracting Based64-encoded content.

DarkHydrus compiled RogueRobin with an extra command, that allows it to use Google Drive as a secondary method for sending their instructions. The command is called ‘x_mode’ and it is disabled by default. However, the adversary can turn it on via DNS tunneling channel, which is the main communication line with the C2 server.

It also detects existence of virtual machine and sandbox before malicious payload is triggered. Next, the backdoor will collect host name and send collected information to C2 server through DNS tunnel. queryTypesTest function is created for DNS tunnel communication. Then, the backdoor tries to retrieve commands from C2 server via DNS tunnel, then through HTTP if failed.

 

After C2 commands is retrieved successfully, commands are dispatched by taskHandler.

 

 

IMPACT

 

 

Code Execution

 

 

INDICATORS OF COMPROMISE

 

 

URLs

 

 

  • akdns[.]live
  • akamaiedge[.]live
  • edgekey[.]live
  • akamaized[.]live
  • ajpinc[.]akamaiedge[.]live
  • 0ffice365[.]life
  • 0ffice365[.]services
  • 0nedrive[.]agency
  • akamai[.]agency
  • akamaiedge[.]services
  • azureedge[.]today
  • cloudfronts[.]services
  • corewindows[.]agency
  • microsoftonline[.]agency
  • nsatc[.]agency
  • onedrive[.]agency
  • phicdn[.]world
  • sharepoint[.]agency
  • skydrive[.]agency
  • skydrive[.]services
  • t-msedge[.]world
  • trafficmanager[.]live

 

 

Filename

 

 

  • regsvr32[.]exe
  • OfficeUpdateService[.]exe

 

 

Malware Hash (MD5/SHA1/SH256)

  • 5c3f96ade0ea67eef9d25161c64e6f3e
  • 8dc9f5450402ae799f5f8afd5c0a8352
  • b108412f1cdc0602d82d3e6b318dc634
  • 039bd47f0fdb6bb7d68a2428c71f317d
  • 513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8
  • e068c6536bf353abe249ad0464c58fb85d7de25223442dd220d64116dbf1e022
  • 4e40f80114e5bd44a762f6066a3e56ccdc0d01ab2a18397ea12e0bc5508215b8
  • eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97
  • f1b2bc0831445903c0d51b390b1987597009cc0fade009e07d792e8d455f6db0
  • 5cc62ad6baf572dbae925f701526310778f032bb4a54b205bada78b1eb8c479c

 

 

REMEDIATION

 

 

It is recommended that users should strictly avoid opening emails and documents from untrusted sources and Microsoft Office macro should be disabled by default. Also, consider blocking the threat indicators at their respective controls.

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 12, February 2019 Rewterz Threat Alert – Phishing Campaign Targeting Bank Employees in Pakistan, Forging Zimbra
  • 11, February 2019 Rewterz Threat Alert -Malware Campaign Hides Ransomware in Super Mario Wrapper
  • 11, February 2019 Rewterz Threat Alert – New Linux coin miner kills competing malware to maximize profits
  • 8, February 2019 Rewterz Threat Advisory -CVE-2018-11803 – Apache Subversion Denial of Service Vulnerability

Copyright © Rewterz. All rights reserved.