DarkHydrus APT group emerges with a new variant of the RogueRobin Trojan and uses Google Drive as an alternative command and control (C2) communication channel.
Mostly targeting Middle East, the campaign uses Excel documents as a bait which are embedded with malicious VBA code (macro).
The document has a name written in Arabic alphabet ‘Al-faharis and Al-itlaa’. As soon as the document is opened, VBA macro is triggered to run.
That macro drops 12-B-366[.]txt to ‘%TEMP%’ directory ﬁrst, then leverages regsvr32[.]exe to run 12-B-366[.]txt which is a HTA (HTML application) ﬁle, which will drop a PowerShell script to %TEMP%\\ WINDOWSTEMP[.]ps1. Finally, the PowerShell script drops %TEMP%\\OﬃceUpdateService[.]exe for execution by extracting Based64-encoded content.
DarkHydrus compiled RogueRobin with an extra command, that allows it to use Google Drive as a secondary method for sending their instructions. The command is called ‘x_mode’ and it is disabled by default. However, the adversary can turn it on via DNS tunneling channel, which is the main communication line with the C2 server.
It also detects existence of virtual machine and sandbox before malicious payload is triggered. Next, the backdoor will collect host name and send collected information to C2 server through DNS tunnel. queryTypesTest function is created for DNS tunnel communication. Then, the backdoor tries to retrieve commands from C2 server via DNS tunnel, then through HTTP if failed.
After C2 commands is retrieved successfully, commands are dispatched by taskHandler.
INDICATORS OF COMPROMISE
Malware Hash (MD5/SHA1/SH256)
It is recommended that users should strictly avoid opening emails and documents from untrusted sources and Microsoft Oﬃce macro should be disabled by default. Also, consider blocking the threat indicators at their respective controls.