- Researchers discovered a new campaign by DarkHydruns APT Group targeting Middle East organizations.
- A new variant of RogueRobin trojan was used to target the organization.
- The new variant is capable of using Google Drive as an alternate channel for communication with C2 server
- The attackers were discovered using Excel documents written in Arabic to deliver the malware
Security researchers have discovered a new campaign by DarkHydruns APT Group targeting government organization in the Middle East.
The attackers were discovered using a new variant of RogueRobin trojan and capable of communicating with C2 server via DNS tunnel and Google Drive API.
The campaign was first spotted by at 360’s Threat Intelligence Center (360 TIC) On January 9. the attacker’s leverage Excel documents written in Arabic to deliver the malware.
When the user opens the document the embedded VBA macro executes immediately and drops HTA (12-B-366.txt) file to the temp directory first. HTA (HTML application) file which will then drop a PowerShell script to %TEMP%\\ WINDOWSTEMP.ps1.
In the final process, the PowerShell script drops the backdoor “OfficeUpdateService”. The backdoor of the malware is written in C.
According to the analysis by Palo Alto Networks, the text file contains a Windows Script Component (.SCT) file which delivers a version of the RogueRobin trojan.
The malware is also capable of using Google Drive API as an alternate channel to communicate with the command and control server.
“This command is particularly interesting as it enables an alternative command and control channel that uses the Google Drive API. The x_mode command is disabled by default, but when enabled via a command received from the DNS tunneling channel, it allows RogueRobin to receive a unique identifier and to get jobs by using Google Drive API requests.”
The malware uploads the file to the Google Drive account and checks the file’s modification time to see whether any changes were made. The attacker will modify the file to include a unique identifier for future communications.
The malware checks whether it is running on a sandbox environment and also check for common analysis tools running on the system.
You may be interested in reading:Blur Data Breach Potentially Exposed Data of 2.4 Million Users