DarkHydrus empowers RogueRobin to use Google Drive

Delaware, USA – January 22, 2019 – The Middle East region became the target of the recent attack by a new strain of RogueRobin Trojan that can use Google Drive to receive attackers’ commands. Cybersecurity experts from 360’s Threat Intelligence Center attributed this attack to the notorious DarkHydrus APT group which has already carried out campaigns targeted at Middle East government and educational institutions gathering credentials for the future operations. The group conducts cyber espionage campaigns for at least three years and continues enlarging and developing the toolset as shown by their latest activity.

The malicious documents used in the recent campaign of DarkHydrus was first spotted two weeks ago. It includes a new variant of RogueRobin trojan, which is dropped on the system when a targeted user clicks the Enable Content button in the attached .xlsm file delivered via phishing email. The new C# variant of RougeRobin has not only traditional channel of communications using DNS tunneling, but threat actors also armed it with capabilities to receive instructions via Google Drive. This option can be enabled by ‘x.mode’ command sent via traditional DNS tunneling channel. After enabling, RogueRobin starts getting commands by using Google Drive API requests and can upload files to the Google Drive account. DNS tunneling is often used by APT groups to exfiltrate sensitive data or to communicate with sophisticated cyber espionage tools. You can use DNS Security Check rule pack to uncover suspicious DNS activity and volume-based data leakage: https://my.socprime.com/en/integrations/dns-security-check-kibana