A custom malware dubbed RogueRobin is using Google Drive as an alternative command and control channel.
Palo Alto’s Unit 42 researchers have been monitoring the malware used by the DarkHydrus APT group and which is hidden in a series of Arabic language spear phishing emails laced with macro-enabled Excel documents with the .xlsm file extensions, according to a Jan. 18 blog post.
DarkHydrus previously been spotted using tactics including typosquatting domains for security or technology vendors, abusing open-source penetration testing tools, and leveraging novel file types as anti-analysis techniques.
Between July 15-16, researchers spotted the group using spear-phishing emails written in Arabic, to targeted organizations with password protected RAR archive attachments containing malicious Excel Web Query files or “.igy” files.
Its most recent tactic of using Google Drive as a command and control server suggests DarkHydrus may be shifting to abusing legitimate cloud services for their infrastructure, researchers said.
RogueRobin is unique as it is a fully featured backdoor that allows its operators to remotely execute Powershell scripts and add new functionalities as desired by generating new scripts. The malware also has the ability to upload and download arbitrary files from the victim’s devices in addition to its abilities to exfiltrate data.
“Recent DarkHydrus delivery documents revealed the group abusing open-source penetration testing techniques such as the AppLocker bypass,” researchers said in the post.
“The payloads installed by these delivery documents show that the DarkHydrus actors ported their previous PowerShell-based RogueRobin code to an executable variant, which is behavior that has been commonly observed with other adversary groups operating in the Middle East, such as OilRig.”
Researchers noted that none of the known documents used in the campaign contain a large image or message instructing victims to enable their macros suggesting that instructions to do so were provided during delivery, such as in the body of a spear-phishing email.
The trojan then checks if it was in a sandbox environment and will exit if it detects the presence of a debugger. The malware then uses DNS tunneling to communicate with its command and control server using a variety of different DNS query types.
“The x_mode command is disabled by default, but when enabled via a command received from the DNS tunneling channel, it allows RogueRobin to receive a unique identifier and to get jobs by using Google Drive API requests,” researchers said in the post. “In x_mode, RogueRobin uploads a file to the Google Drive account and continually checks the file’s modification time to see if the actor has made any changes to it.”
All of the samples noted by the researchers have a malicious verdict in Wildfire, all the domains were classified as malicious, and AutoFocus tags are available for additional context.