Unit 42 has discovered a new targeted attack against Middle East government by a new threat actor group called DarkHydrus.
According to Palo Alto Network researchers, the threat actor group has been in operation since 2016 and has conducted targeted against at least one middle east government agency.
The attacking involves spear phishing email sent to the targeted organization with password protected RAR archive file named as credential.rar as the attachment.
Inside the RAR file, it contains as a malicious Excel Web Query file (.iqy) named credential.iqy. Excel Web Query files (.iqy) are simple text files which contain a URL and are opened by default by Excel.
The body of the message was written in Arabic and asks the recipient to view the document within the archive. The message also contains the password to open the file.
The credential.iqy contains a URL hxxp://micrrosoft[.]net/releasenotes.txt which is used to obtain remote data to include in the spreadsheets. Excel doesn’t allow any remote data download by default and asks for the user’s permission to enable it.
If the user enables the data connection, it downloads a file named releasenotes.txt from the URL given in the .iqy file.
The releasenotes.txt file contains a formula which Excel will save to the “A0” cell in the worksheet.
The formula uses a command prompt to run a PowerShell script that tries to download and execute another PowerShell script which is hosted at the URL hxxp://micrrosoft[.]net/winupdate.ps1.
Here also by default excel doesn’t allow to launch the command prompt application and need user’s permission to run it.
If the user grants permission, it downloads and executes a file named winupdate.ps1 which is considered as the main payload of this attack and called as RogueRobin.
The attacker uses a custom DNS tunneling protocol for the payload to communicates with it configured C&C server.
“The DarkHydrus group carried out an attack campaign on at least one government agency in the Middle East using malicious .iqy files. The .iqy files take advantage of Excel’s willingness to download and include the contents from a remote server in a spreadsheet. DarkHydrus leveraged this obscure file format to run a command to ultimately install a PowerShell scripts to gain backdoor access to the system. The PowerShell backdoor delivered in this current attack may have been custom developed by the threat group, however, it is possible that DarkHydrus pieced together this tool by using code from legitimate open source tools.”