Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

DarkHydrus Hackers Use Google Drive in Recent Attacks

The DarkHydrus threat group has added new functionality to the payloads used in recent attacks and is also leveraging Google Drive for command and control (C&C) purposes, Palo Alto Networks security researchers say. 

The DarkHydrus threat group has added new functionality to the payloads used in recent attacks and is also leveraging Google Drive for command and control (C&C) purposes, Palo Alto Networks security researchers say. 

Initially detailed in the summer of 2018, when it was using open-source tools in attacks targeting government entities in the Middle East, the group was also registering typosquatting domains for security or technology vendors and leveraging novel file types as anti-analysis techniques.

The security researchers collected a total of three DarkHydrus delivery documents that were delivering a new variant of the group’s RogueRobin Trojan. None of these macro-enabled Excel documents contained instructions for the intended victims to enable the macros but such instructions might have been provided at delivery. 

Palo Alto Networks’ researchers couldn’t establish how the documents were delivered or when they were used in attacks, but they believe DarkHydrus created these documents in December 2018 and January 2019. 

The macro is executed to create a PowerShell script that writes a .ps1 file and a .sct file to the TEMP folder. The .sct file is used as a Windows Script Component file and executed using the legitimate regsvr32.exe application to bypass AppLocker, the researchers reveal. 

The .ps1 script is a dropper that writes an embedded executable to disk, and creates a shortcut (.lnk) file to the Startup folder, to persistently run it each time Windows starts up. The payload is a C# version of RogueRobin, suggesting that DarkHydrus ported their code to a compiled variant.

The malware attempts to see if it is running in a sandbox environment by using commands to check for virtualized environments, low memory, and processor counts, as well as for common analysis tools running on the system. The Trojan also checks if a debugger is attached to its processes. 

Advertisement. Scroll to continue reading.

The C# variant of RogueRobin uses DNS tunneling to communicate with its command and control (C&C) server and checks for an attached debugger each time it issues a DNS query. If the check passes, the query resolves to a legitimate domain owned by Google, likely as an anti-analysis measure, “as it will only trigger if the researcher has already patched the initial debugger check.” 

The Trojan uses DNS requests to retrieve jobs from the C&C server, which are handled as commands. 

The new malware variant also includes a command (x_mode) that enables an alternative C&C channel that is leveraging the Google Drive API. The command is disabled by default, but can be enabled via a command received from the C&C server. One sample, however, had a hardcoded Google Drive URL.

When in x_mode, the malware uploads a file to a Google Drive account and continually checks the file’s modification time for changes. The first modification includes a unique identifier, while the following changes are treated as commands. 

DarkHydrus, however, isn’t the first threat actor to abuse Google Drive for C&C purposes. OilRig, a group actively targeting United States and Middle Eastern organizations in the financial and government industries since 2015, has been abusing the legitimate service in their attacks as well. 

The new DarkHydrus attacks, Palo Alto Networks’ security researchers conclude, reveal not only that the group continues operations and adds new techniques to their playbook, but also that they might be shifting to abusing legitimate cloud services for their infrastructure.

Related: DarkHydrus Uses Open Source Phishery Tool in Middle-East Attacks

Related: Iran-linked Hackers Adopt New Data Exfiltration Methods

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...