Read how DarkHydrus adds Google Drive support to its RogueRobin Trojan for C2 communications! See full report by Unit 42 Threat Research on Live Community.
Unit 42 Threat Research
In July 2018, Unit 42 reported a New Threat Actor Group in the Middle East surrounding activity using tactics, tools, and procedures (TTPs) in which we named the adversary group DarkHydrus (also called "LazyMeerkat" by Kaspersky). This group was observed using tactics such as registering typosquatting domains for security or technology vendors, abusing open-source penetration testing tools, and leveraging novel file types as anti-analysis techniques.
On January 9, 2019, the specialists at 360TIC published a tweet and subsequent research discussing delivery documents that appeared to be attributed to the APT group DarkHydrus.
In the process of analyzing the delivery documents, Palo Alto Networks threat research group, Unit 42, was able to collect additional associated samples, uncover additional functionality of the payloads including the use of Google Drive API, and confirm the strong likelihood of attribution to DarkHydrus.
Originally, RogueRobin was PowerShell-based, but the APT group ported it to a compiled C# variant.
Like the original version, this C# variant of RogueRobin uses DNS tunneling to communicate with its C2 server using a variety of different DNS query types. Using a command that was not available in the original PowerShell variant (x_mode), this new variant enables an alternative command and control channel that uses the Google Drive API.