Since most security tools also keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly adopting infrastructure of legitimate services in their attacks to hide their malicious activities.
New malicious campaigns attributed to DarkHydrus APT group show the adversary’s use of a new variant of the RogueRobin Trojan and of Google Drive as an alternative command and control communication channel (CnC).
This is the group’s latest activity was observed against targets in the Middle East, luring them with excel documents laced with malicious VBA code (macro).
For security reasons, macros are disabled by default in the Microsoft office suite, and they do not run unless the user enables the feature manually.
Advanced Web Application Pentesting Training: Click Here.
Researchers from the 360 Threat Intelligence Center (360TIC) said the hackers have a new campaign underway which is focusing on targets in the Middle East of political value.
Also tracked as Lazy Meerkat by Kaspersky Lab researchers, which has deemed the threat group as both “sneaky” and “creative,” the latest DarkHydrus scheme was first spotted after 360TIC secured samples of malicious Microsoft Excel documents on 9 January 2019.
Written in Arabic, the documents contain embedded VBA macros which will trigger if the file is opened. The macro will then drop a text file to a temporary directory before utilizing the legitimate regsvr32.exe to run the text file. In turn, a PowerShell script is dropped which unpacks Base64 content to execute OfficeUpdateService.exe, a backdoor written in C#.
The backdoor has an interesting pathway in play. A PDB path has a project name called “DNSProject” which the researchers say “illustrates that the malware may leverage some DNS techniques to achieve its goal.”
The Chinese researchers noticed that the macro in the malicious documents downloaded the a.TXT file and then the legitimate ‘regsvr32.exe’ application is used to run it. After several more steps, a backdoor written in C# is dropped on the victim machine.
According to research from Palo Alto Networks’ Unit 42, the text file hides a Windows Script Component (.SCT) file that delivers a version of the RogueRobin trojan. Originally, this custom payload is PowerShell-based, but it looks like the threat actor ported it to a compiled variant.
Using Google Drive to deliver instructions
DarkHydrus compiled RogueRobin with an extra command, that allows it to use Google Drive as a secondary method for sending their instructions.
The command is called ‘x_mode’ and it is disabled by default. However, the adversary can turn it on via DNS tunneling channel, which is the main communication line with the C2 server.
credit: 360 TIC
Immediately after activation, the trojan receives a list of settings stored in variables set when sending the ‘x_mode’ command; these values allow it to exchange information through Google Drive: URL for downloading, uploading, updating files, and the authentication details.
credit: Unit 42
The information exchange happens after RogueRobin uploads a file to Google Drive. The document is then monitored for changes. Any modification is considered a command.
Online Ethical Hacking Training: Click Here.
DarkHydrus sends regards
Both research teams observed that RogueRobin checks if it is running in a sandbox environment.
credit: 360 TIC
In a report this week, Unit 42 writes that “in addition to checks for common analysis tools running on the system. The Trojan also checks to see if a debugger is attached to its processes and will exit if it detects the presence of a debugger.”
In their analysis, the researchers say that RogueRobin uses DNS tunneling to talk to the C2 server and checks for a debugger every time it issues a DNS query.
If a debugger is identified, the query resolves to a hex-coded subdomain (676f6f646c75636b.gogle[.]co) that translates to ‘good luck.’
credit: Unit 42
“This DNS query likely exists as a note to researchers or possibly as an anti-analysis measure, as it will only trigger if the researcher has already patched the initial debugger check to move onto the C2 function,” speculate the researchers.
DarkHydrus was discovered by Palo Alto Networks’ Unit 42 team last summer in attacks against a government agency in the Middle East.
Costin Raiu, head of the GREAT (Global Research and Analysis Team) at Kaspersky Lab, described the actor as “sneaky” and “creative,” with an interest in the “Middle East, governments and aviation.”
DarkHydrus was also observed hunting for credentials from educational institutions in the same region. Unit 42 noticed such an attack as recently as June 24, 2018.
For more information, you can refer here.