DarkHydrus APT Group is Using Google Drive for Spreading ‘RogueRobin’ Trojan
- According to 360 Threat Intelligence Center, the DarkHydrus Group is actively spreading the RogueRobin Trojan.
- The Windows Trojan is being released through Google Drive via Excel documents.
- DarkHydrus has been an active group since 2017 and RogueRobin is their most dangerous Trojan yet.
Advanced persistent threat group DarkHydrus has made a comeback with its RogueRobin trojan, and it is targeting users linked to politics in the Middle East. Google Drive is slowly becoming a prevalent channel of distribution of the group with Excel sheets being infected with the trojan. According to 360 Threat Intelligence Center researchers "In recent APT incidents, more and more threat actors tend to adopt Office VBA macro instead of Office zero-day vulnerabilit[ies] in the consideration of cost reduction. It is recommended that users avoid open[ing] documents from untrusted sources."
The first instance of DarkHydrus’ trojan was seen on January 9, 2019, by 360 Threat Intelligence Group. The malware embedded into Excel sheets while using Arabic text. A macro in the sheet drops a text file into a temporary directory which is used to run using the legitimate regsvr32.exe process. Once the text file is active, a backdoor is opened in the target systems by taking advantage of an infected OfficeUpdateService.exe which disguises itself as the Microsoft Office Updater.
The malware created by the DarkHydrus group is capable of creating new registry files as well as employing anti-analysis techniques which prevents security solutions from working on it. It is also immune to anti-debugging. Once the malware is in place, it is capable of collecting and sharing information from the target systems which via a DNS tunnel. If the method fails, Google Drive is used as a failsafe option.
The DarkHydrus group has been active since 2017 and is known for phishing and credential-harvesting campaigns. The group uses a number of phishing tools to create and inject systems using malicious documents similar to the Google Drive method. With filenames such as “project proposal” being used, a number of gullible users end up downloading and opening the infected files.
What do you think about DarkHydrus’ RogueRobin trojan? Let us know in the comments below. Also, join us on our TechNadu’s Twitter handle and Facebook page for instant updates.