Attack group DarkHydrus just ended up re-discovered continuing their operations while adding in a few new techniques to their playbook, researchers said.
DarkHydrus ended up discovered last summer by Palo Alto Networks’ Unit 42 conducting activity in the Middle East surrounding a cluster of attacks using similar tactics, tools, and procedures (TTPs).
This group was observed using tactics such as registering typosquatting domains for security or technology vendors, abusing open-source penetration testing tools, and leveraging novel file types as anti-analysis techniques.
“Since that initial reporting, we had not observed new activity from DarkHydrus until recently, when 360TIC published a tweet and subsequent research discussing delivery documents that appeared to be attributed to DarkHydrus,” said Unit 42 researchers Robert Falcone and Bryan Lee in a post. “In the process of analyzing the delivery documents, we were able to collect additional associated samples, uncover additional functionality of the payloads including the use of Google Drive API, and confirm the strong likelihood of attribution to DarkHydrus. We have notified Google of our findings.”
Reserachers gathered three DarkHydrus delivery documents installing a new variant of the RogueRobin Trojan.
These three documents were similar to each other and are all macro enabled Excel documents with .xlsm file extensions. None of the known documents contain a lure image or message to instruct the recipient to click the Enable Content button necessary to run the macro.
The researchers could not determine the delivery mechanism, it is likely the instructions to click the Enable Content button were provided during delivery, such as in the body of a spear-phishing email, researchers said.
“Without the delivery mechanism we cannot confirm the exact time these delivery documents were used in an attack; however, the observed timestamps within these three delivery documents gives us an idea when the DarkHydrus actors created them,” Falcone and Lee said in the report. “While the creation times were time stomped to a default time of 2006-09-16 00:00:00Z commonly observed in malicious documents, the Last Modified times were still available and suggest that DarkHydrus created these documents in December 2018 and January 2019.”
More timely DarkHydrus delivery documents showed the group abusing open-source penetration testing techniques such as the AppLocker bypass.
The payloads installed by these delivery documents found the DarkHydrus attackers ported their previous PowerShell-based RogueRobin code to an executable variant, which is behavior commonly observed with other groups operating in the Middle East, such as OilRig, the researchers said. In addition, the new variant of RogueRobin is capable of using the Google Drive cloud service for its C2 channel, suggesting DarkHydrus may be shifting to abusing legitimate cloud services for their infrastructure.