The recently detailed DarkHydrus threat group is leveraging the open-source Phishery tool to create malicious documents used in attacks on government entities in the Middle East, Palo Alto Networks warns.
Just weeks ago, the security firm revealed that the actor is employing numerous free or open-source utilities for their malicious purposes. They have leveraged tools such as Meterpreter, Mimikatz, PowerShellEmpire, Veil, and CobaltStrike, as well as a PowerShell-based backdoor called RogueRobin.
With a focus on credential harvesting, the attacker(s) employs spear-phishing emails to deliver malicious Office documents and is using an infrastructure dating back to fall 2017.
The malicious documents, which use the attachedTemplate technique, load a template from a remote, attacker-controlled location to prompt users to provide login credentials. The login information is then sent to the attacker’s server.
Last year, the FBI and the DHS issued a joint report warning of cyber-attacks targeting energy facilities in the U.S. and elsewhere and leveraging the same template injection technique. Those attacks, however, were attributed to a different actor.
Palo Alto Networks’ security researchers believe that DarkHydrus used the open-source Phishery tool to create two of the Word documents observed in the observed credential harvesting attacks.
One of these attacks was observed on June 24, 2018, targeting an educational institution in the Middle East. The subdomain (of attacker-controlled 0utl00k[.]net) used in this incident was the domain of the targeted educational institution, which made the malicious document and the authentication request look credible.
The security researchers discovered additional documents that employed the same malicious domain for credential harvesting and say that the malicious campaign has been ongoing for almost a year.
Previously, Palo Alto Networks uncovered additional domains the threat actor has been using in assaults, including anyconnect[.]stream, Bigip[.]stream, Fortiweb[.]download, Kaspersky[.]science, microtik[.]stream, owa365[.]bid, symanteclive[.]download, and windowsdefender[.]win.
The RogueRobin backdoor, the security firm says, can determine whether it runs in a sandbox. It provides attackers with various remote administration capabilities, including file upload, PowerShell command, DNS queries, download of content from the command and control (C&C), and the addition of PowerShell modules to the script.The researchers were able to confirm that the Phishery tool was used to create DarkHydrus documents. The open-source utility allows for the injection of remote template URLs into Word documents and is also capable of hosting a C&C server to gather the user-provided credentials.
“We discovered DarkHydrus carrying out credential harvesting attacks that use weaponized Word documents, which they delivered via spear-phishing emails to entities within government and educational institutions. This threat group not only used the Phishery tool to create these malicious Word documents, but also to host the C2 server to harvest credentials,” Palo Alto Networks concluded.
Related: Template Injection Used in Attacks on U.S. Critical Infrastructure
Related: Iran-Linked ‘Leafminer’ Espionage Campaign Targets Middle East
