DarkHydrus Adds Google Drive Support to Its RogueRobin Trojan for C2 Communications!

by a month ago - last edited a week ago by (348 Views)

Read how DarkHydrus adds Google Drive support to its RogueRobin Trojan for C2 communications! See full report by Unit 42 Threat Research on Live Community.

 

unit 42 Threat Research Logo.pngUnit 42 Threat Research

In July 2018, Unit 42 reported a New Threat Actor Group in the Middle East surrounding activity using tactics, tools, and procedures (TTPs) in which we named the adversary group DarkHydrus (also called "LazyMeerkat" by Kaspersky). This group was observed using tactics such as registering typosquatting domains for security or technology vendors, abusing open-source penetration testing tools, and leveraging novel file types as anti-analysis techniques.

 

On January 9, 2019, the specialists at 360TIC published a tweet and subsequent research discussing delivery documents that appeared to be attributed to the APT group DarkHydrus.

 

In the process of analyzing the delivery documents, Palo Alto Networks threat research group, Unit 42, was able to collect additional associated samples, uncover additional functionality of the payloads including the use of Google Drive API, and confirm the strong likelihood of attribution to DarkHydrus.

 

Originally, RogueRobin was PowerShell-based, but the APT group ported it to a compiled C# variant.

 

Like the original version, this C# variant of RogueRobin uses DNS tunneling to communicate with its C2 server using a variety of different DNS query types. Using a command that was not available in the original PowerShell variant (x_mode), this new variant enables an alternative command and control channel that uses the Google Drive API.

 

Check out all the details in Unit 42's full report !

 

Luckily, Palo Alto Networks customers are protected at multiple layers, indluding:

 

  • All samples in Unit 42's report have a malicious verdict in WildFire
  • Domains have been classified as malicious
  • AutoFocus tags are available for additional context: DarkHydrus and RogueRobin

 

 

Stay Secure !!

-Kiwi out.

 

Ask Questions Get Answers Join the Live Community
Labels