DarkHydrus APT Uses Google Drive to Send Commands to RogueRobin Trojan

New malicious campaigns attributed to DarkHydrus APT group show the adversary’s use of a new variant of the RogueRobin Trojan and of Google Drive as an alternative command and control (C2) communication channel.

The group’s latest activity was observed against targets in the Middle East, luring them with Excel documents laced with malicious VBA code (macro).

For security reasons, macros are disabled by default in the Microsoft Office suite, and they do not run unless the user enables the feature manually.

Recycling its malware

These attacks were first observed by researchers at 360’s Threat Intelligence Center (360 TIC) on January 9, who attributed them to DarkHydrus APT, who Kaspersky Lab tracks as Lazy Meerkat.

The Chinese researchers noticed that the macro in the malicious documents downloaded a .TXT file and then the legitimate ‘regsvr32.exe’ application is used to run it. After several more steps, a backdoor written in C# is dropped on the victim machine.

According to research from Palo Alto Networks’ Unit 42, the text file hides a Windows Script Component (.SCT) file that delivers a version of the RogueRobin trojan. Originally, this custom payload is PowerShell-based, but it looks like the threat actor ported it to a compiled variant.

credit: 360 TIC

Using Google Drive to deliver instructions

DarkHydrus compiled RogueRobin with an extra command, that allows it to use Google Drive as a secondary method for sending their instructions.

The command is called ‘x_mode’ and it is disabled by default. However, the adversary can turn it on via DNS tunneling channel, which is the main communication line with the C2 server.

credit: 360 TIC

Immediately after activation, the trojan receives a list of settings stored in variables set when sending the ‘x_mode’ command; these values allow it to exchange information through Google Drive: URL for downloading, uploading, updating files, and the authentication details.

credit: Unit 42

The information exchange happens after RogueRobin uploads a file to Google Drive. The document is then monitored for changes. Any modification is considered a command.

DarkHydrus sends regards

Both research teams observed that RogueRobin checks if it is running in a sandbox environment.

credit: 360 TIC

In a report this week, Unit 42 writes that “in addition to checks for common analysis tools running on the system. The Trojan also checks to see if a debugger is attached to its processes and will exit if it detects the presence of a debugger.”

In their analysis, the researchers say that RogueRobin uses DNS tunneling to talk to the C2 server and checks for a debugger every time it issues a DNS query.

If a debugger is identified, the query resolves to a hex-coded subdomain (676f6f646c75636b.gogle[.]co) that translates to ‘goodluck.’

credit: Unit 42

“This DNS query likely exists as a note to researchers or possibly as an anti-analysis measure, as it will only trigger if the researcher has already patched the initial debugger check to move onto the C2 function,” speculate the researchers.

DarkHydrus was discovered by Palo Alto Networks’ Unit 42 team last summer in attacks against a government agency in the Middle East.

Costin Raiu, head of the GREAT (Global Research and Analysis Team) at Kaspersky Lab, described the actor as “sneaky” and “creative,” with an interest in the “Middle East, governments and aviation.”

DarkHydrus was also observed hunting for credentials from educational institutions in the same region. Unit 42 noticed such an attack as recently as June 24, 2018.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top