The DarkHydrus threat group has added new functionality to the payloads used in recent attacks and is also leveraging Google Drive for command and control (C&C) purposes, Palo Alto Networks security researchers say.
Initially detailed in the summer of 2018, when it was using open-source tools in attacks targeting government entities in the Middle East, the group was also registering typosquatting domains for security or technology vendors and leveraging novel file types as anti-analysis techniques.
The security researchers collected a total of three DarkHydrus delivery documents that were delivering a new variant of the group’s RogueRobin Trojan. None of these macro-enabled Excel documents contained instructions for the intended victims to enable the macros but such instructions might have been provided at delivery.
Palo Alto Networks’ researchers couldn’t establish how the documents were delivered or when they were used in attacks, but they believe DarkHydrus created these documents in December 2018 and January 2019.
The macro is executed to create a PowerShell script that writes a .ps1 file and a .sct file to the TEMP folder. The .sct file is used as a Windows Script Component file and executed using the legitimate regsvr32.exe application to bypass AppLocker, the researchers reveal.
The .ps1 script is a dropper that writes an embedded executable to disk, and creates a shortcut (.lnk) file to the Startup folder, to persistently run it each time Windows starts up. The payload is a C# version of RogueRobin, suggesting that DarkHydrus ported their code to a compiled variant.
The malware attempts to see if it is running in a sandbox environment by using commands to check for virtualized environments, low memory, and processor counts, as well as for common analysis tools running on the system. The Trojan also checks if a debugger is attached to its processes.
The C# variant of RogueRobin uses DNS tunneling to communicate with its command and control (C&C) server and checks for an attached debugger each time it issues a DNS query. If the check passes, the query resolves to a legitimate domain owned by Google, likely as an anti-analysis measure, “as it will only trigger if the researcher has already patched the initial debugger check.”
The Trojan uses DNS requests to retrieve jobs from the C&C server, which are handled as commands.
The new malware variant also includes a command (x_mode) that enables an alternative C&C channel that is leveraging the Google Drive API. The command is disabled by default, but can be enabled via a command received from the C&C server. One sample, however, had a hardcoded Google Drive URL.
When in x_mode, the malware uploads a file to a Google Drive account and continually checks the file’s modification time for changes. The first modification includes a unique identifier, while the following changes are treated as commands.
DarkHydrus, however, isn’t the first threat actor to abuse Google Drive for C&C purposes. OilRig, a group actively targeting United States and Middle Eastern organizations in the financial and government industries since 2015, has been abusing the legitimate service in their attacks as well.
The new DarkHydrus attacks, Palo Alto Networks’ security researchers conclude, reveal not only that the group continues operations and adds new techniques to their playbook, but also that they might be shifting to abusing legitimate cloud services for their infrastructure.
Related: DarkHydrus Uses Open Source Phishery Tool in Middle-East Attacks
Related: Iran-linked Hackers Adopt New Data Exfiltration Methods