DarkHydrus abuses Google Drive to spread RogueRobin Trojan

The threat group is striking political targets in the Middle East.

A combined attack of malware with a Remote Access Trojan is hitting banks and retailers Hacking group TA505 is distributing a brand new form of malware – and using it to target banks and retailers.

The DarkHydrus advanced persistent threat (APT) group is back and this time is not only using Windows vulnerabilities to infect victims but is also abusing Google Drive as an alternative communications channel.

Last week, researchers from the 360 Threat Intelligence Center (360TIC) said the hackers have a new campaign underway which is focusing on targets in the Middle East of political value.

Also tracked as Lazy Meerkat by Kaspersky Lab researchers, which has deemed the threat group as both "sneaky" and "creative," the latest DarkHydrus scheme was first spotted after 360TIC secured samples of malicious Microsoft Excel documents on 9 January 2019.

Written in Arabic, the documents contain embedded VBA macros which will trigger if the file is opened. The macro will then drop a text file to a temporary directory before utilizing the legitimate regsvr32.exe to run the text file. In turn, a PowerShell script is dropped which unpacks Base64 content to execute OfficeUpdateService.exe, a backdoor written in C#.

The backdoor has an interesting pathway in play. A PDB path has a project name called "DNSProject" which the researchers say "illustrates that the malware may leverage some DNS techniques to achieve its goal."

See also: Zix acquires AppRiver in $275 million deal

If set to maintain persistence on the machine, the backdoor, a variant of the RogueRobin Trojan, will not only create new registry files but will also employ anti-analysis techniques including machine detection and sandbox detection. The Trojan also contains anti-debug code.

Researchers from Palo Alto say the RogueRobin Trojan deployed in these attacks appears to be a compiled variant which will collect and send stolen system information, including hostnames, to a command-and-control (C2) server through a DNS tunnel.

However, if this tunnel is not available, the Trojan contains instructions under the name "x_mode" to use Google Drive as an alternative file server which acts as a backup should the main C2 communication route fail.

CNET: DNC says Russian hackers hit it with phishing effort after midterms

"The x_mode command is disabled by default, but when enabled via a command received from the DNS tunneling channel, it allows RogueRobin to receive a unique identifier and to get jobs by using Google Drive API requests," Palo Alto says.

The APT has been active since at least 2017 with various credential-harvesting campaigns. DarkHydrus tends to use spear-phishing emails which lure victims to provide login details through an attached 'template' file hosted on remote servers controlled by the attackers.  

DarkHydrus uses open-source phishing tools to create the malicious documents required by these attacks and entices victims to open these files with names such as "project proposal."

TechRepublic: Bug bounty programs: Everything you thought you knew is wrong

The APT is also believed to be using CVE-2018-8414, a Microsoft Windows validation path vulnerability which can result in remote code execution when exploited.

"In recent APT incidents, more and more threat actors tend to adopt Office VBA macro instead of Office zero-day vulnerabilit[ies] in the consideration of cost reduction," the researchers say. "It is recommended that users avoid open[ing] documents from untrusted sources."

Previous and related coverage