DarkHydrus APT group delivers RogueRobin Trojan via Google Drive

News by Rene Millman

New RogueRobin malware uses Google Docs as alternative channel to receive commands

APT group Dark Hydrus has launched a new malware campaign, adopting an updated version of the RogueRobin Trojan and using Google Drive as an alternative channel of communication with it.

During a previous campaign, the group attacked targets in the Middle East. The Trojan got on the victims' computers through an Excel document with malicious VBA macro code. The attack was recorded on 9 January by security researchers at Chinese 360’s ??Threat Intelligence Center (360 TIC). Researchers attributed it to the DarkHydrus APT group.

Researchers found macros in a malicious document that load the .TXT file and then launch it using a legitimate application called regsvr32.exe. After a few stages, a backdoor written in C# is loaded onto the target system.

Researchers at Palo Alto Networks Unit 42 said in a blog post that a Windows Script Component (.SCT) file downloads the RogueRobin Trojan variant and is hidden in the text file. Normally, the payload is based on PowerShell, but it appears that cyber-criminals ported it into a compiled version.

This new compiled version of RogueRobin adds a new feature that allows the Trojan to use Google Drive as an alternative channel of communication for instructions. The command mode is known as "x_mode" and is disabled by default. But hackers can switch this on via DNS tunnelling to communicate with its C2 server using a variety of different DNS query types.

RogueRobin also checks to see if it is running in a sandbox environment. "In addition to checks for common analysis tools running on the system. The Trojan also checks to see if a debugger is attached to its processes and will exit if it detects the presence of a debugger," researchers said.

This debugger check is carried out every time a DNS query is issued. If a debugger is identified, a DNS query is issued that resolves to 676f6f646c75636b.google[.]co (a legitimate domain owned by Google). This is a hex encoded string which decodes to goodluck. 

"This DNS query likely exists as a note to researchers or possibly as an anti-analysis measure, as it will only trigger if the researcher has already patched the initial debugger check to move onto the C2 function," said researchers.

Researchers said that recent DarkHydrus delivery documents revealed the group abusing open-source penetration testing techniques such as the AppLocker bypass. 

"The payloads installed by these delivery documents show that the DarkHydrus actors ported their previous PowerShell-based RogueRobin code to an executable variant, which is behaviour that has been commonly observed with other adversary groups operating in the Middle East, such as OilRig," said researchers.

This new variant, with its use of Google Drive cloud service for its C2 channel, suggested that "DarkHydrus may be shifting to abusing legitimate cloud services for their infrastructure", according to researchers.

Roy Rashti, cyber-security expert at BitDam, told SC Media UK that as the malware is delivered via email, the first step should be checking if one of the known droppers was sent to anyone in the organisation.

"The next step would be to look for the executable itself. It should be located at '%APPDATA%\Microsoft\Windows\Templates\' folder, named WindowsTemplate.exe. Another necessary cautionary step would be to make sure that all your security solutions are up to date. Delaying security updates puts organisations at risk and in this case, these updates would help," he said.

Dr Simon Wiseman, CTO of Deep Secure, told SC that another serious issue is the evolution to use Google docs. "It is nearly impossible from a business perspective to ban something as widely used as Google and the attackers will also know this. Using Google as a C2 channel is concerning and we may see more of this in 2019," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews