Rewterz Threat Alert: DarkHydrus APT Uses Google Drive to Send Commands to RogueRobin Trojan

SEVERITY: Medium

ANALYSIS SUMMARY

DarkHydrus APT group emerges with a new variant of the RogueRobin Trojan and uses Google Drive as an alternative command and control (C2) communication channel.

Mostly targeting Middle East, the campaign uses Excel documents as a bait which are embedded with malicious VBA code (macro).

The document has a name written in Arabic alphabet ‘Al-faharis and Al-itlaa’. As soon as the document is opened, VBA macro is triggered to run.

That macro drops 12-B-366[.]txt to ‘%TEMP%’ directory first, then leverages regsvr32[.]exe to run 12-B-366[.]txt which is a HTA (HTML application) file, which will drop a PowerShell script to %TEMP%\\ WINDOWSTEMP[.]ps1. Finally, the PowerShell script drops %TEMP%\\OfficeUpdateService[.]exe for execution by extracting Based64-encoded content.

DarkHydrus compiled RogueRobin with an extra command, that allows it to use Google Drive as a secondary method for sending their instructions. The command is called ‘x_mode’ and it is disabled by default. However, the adversary can turn it on via DNS tunneling channel, which is the main communication line with the C2 server.

It also detects existence of virtual machine and sandbox before malicious payload is triggered. Next, the backdoor will collect host name and send collected information to C2 server through DNS tunnel. queryTypesTest function is created for DNS tunnel communication. Then, the backdoor tries to retrieve commands from C2 server via DNS tunnel, then through HTTP if failed.

After C2 commands is retrieved successfully, commands are dispatched by taskHandler.

IMPACT

Code Execution

INDICATORS OF COMPROMISE

URLs

• akdns[.]live
• akamaiedge[.]live
• edgekey[.]live
• akamaized[.]live
• ajpinc[.]akamaiedge[.]live
• 0ffice365[.]life
• 0ffice365[.]services
• 0nedrive[.]agency
• akamai[.]agency
• akamaiedge[.]services
• azureedge[.]today
• cloudfronts[.]services
• corewindows[.]agency
• microsoftonline[.]agency
• nsatc[.]agency
• onedrive[.]agency
• phicdn[.]world
• sharepoint[.]agency
• skydrive[.]agency
• skydrive[.]services
• t-msedge[.]world
• trafficmanager[.]live

Filename

• regsvr32[.]exe
• OfficeUpdateService[.]exe

Malware Hash (MD5/SHA1/SH256)

• 5c3f96ade0ea67eef9d25161c64e6f3e
• 8dc9f5450402ae799f5f8afd5c0a8352
• b108412f1cdc0602d82d3e6b318dc634
• 039bd47f0fdb6bb7d68a2428c71f317d
• 513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8
• e068c6536bf353abe249ad0464c58fb85d7de25223442dd220d64116dbf1e022
• 4e40f80114e5bd44a762f6066a3e56ccdc0d01ab2a18397ea12e0bc5508215b8
• eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97
• f1b2bc0831445903c0d51b390b1987597009cc0fade009e07d792e8d455f6db0
• 5cc62ad6baf572dbae925f701526310778f032bb4a54b205bada78b1eb8c479c

REMEDIATION

It is recommended that users should strictly avoid opening emails and documents from untrusted sources and Microsoft Office macro should be disabled by default. Also, consider blocking the threat indicators at their respective controls.