Delaware, USA – August 10, 2018 – One more hacker group targets government organizations in the Middle East. Palo Alto Networks Unit42 revealed one of DarkHydrus campaigns and tracked their activity until 2016. DarkHydrus leverages spear phishing attacks using documents created with the open-source Phishery tool. Such documents allow them to steal user credentials and use them during the next stages of the attack. The group prefers to use open-source tools including the infamous Meterpreter and Cobalt Strike. In a recent campaign, DarkHydrus used custom PowerShell based payload, which the researchers called RogueRobin. To deliver the malware, attackers used email asking to view the document in a password-protected archive that contained a malicious .iqy file. If the user opens it ignoring security warnings, the malicious Powershell script run on the system to access the attacker’s server and run another script. After checking the infected system, RogueRobin creates a .bat file and shortcut in the Windows startup. The malware uses DNS tunneling for communications with the command and control server. It can transfer data, download additional modules and execute attackers’ commands.
It’s difficult to say how skilled and effective DarkHydrus hackers, but their backdoor poses a significant threat to organizations and government entities. Solutions for DNS traffic monitoring are not common, therefore, to detect tunneling, it is possible to use SIEM and DNS Security Check SIEM content pack from Threat Detection Marketplace: https://my.socprime.com/en/integrations/dns-security-check-hpe-arcsight