Advanced persistent threat group DarkHydrus has made a comeback with its RogueRobin trojan, and it is targeting users linked to politics in the Middle East. Google Drive is slowly becoming a prevalent channel of distribution of the group with Excel sheets being infected with the trojan. According to 360 Threat Intelligence Center researchers "In recent APT incidents, more and more threat actors tend to adopt Office VBA macro instead of Office zero-day vulnerabilit[ies] in the consideration of cost reduction. It is recommended that users avoid open[ing] documents from untrusted sources."
The first instance of DarkHydrus’ trojan was seen on January 9, 2019, by 360 Threat Intelligence Group. The malware embedded into Excel sheets while using Arabic text. A macro in the sheet drops a text file into a temporary directory which is used to run using the legitimate regsvr32.exe process. Once the text file is active, a backdoor is opened in the target systems by taking advantage of an infected OfficeUpdateService.exe which disguises itself as the Microsoft Office Updater.
The malware created by the DarkHydrus group is capable of creating new registry files as well as employing anti-analysis techniques which prevents security solutions from working on it. It is also immune to anti-debugging. Once the malware is in place, it is capable of collecting and sharing information from the target systems which via a DNS tunnel. If the method fails, Google Drive is used as a failsafe option.
The DarkHydrus group has been active since 2017 and is known for phishing and credential-harvesting campaigns. The group uses a number of phishing tools to create and inject systems using malicious documents similar to the Google Drive method. With filenames such as “project proposal” being used, a number of gullible users end up downloading and opening the infected files.
What do you think about DarkHydrus’ RogueRobin trojan? Let us know in the comments below. Also, join us on our TechNadu’s Twitter handle and Facebook page for instant updates.