A custom malware used by the APT known as DarkHydrus uses a mix of novel techniques, including using Google Drive as an alternate command-and-control (C2) channel.
According to Palo Alto’s Unit 42 intelligence division, the targeted attack involved spear-phishing emails written in Arabic sent to targeted organizations with macro-enabled Excel documents with .xlsm file extensions.
Once executed, it fetches a custom payload dubbed RogueRobin; the malware has previously been seen in a PowerShell-based form, while this campaign uses a new form of the malware written in C+.
“RogueRobin is a fully featured backdoor that can provide a variety of functionality to the threat actors,” said Bryan Lee, principal researcher at Palo Alto Networks, speaking to Threatpost. “It specifically allows the DarkHydrus operators to remotely execute PowerShell scripts, meaning they would be able to not only take advantage of any features within the scope of PowerShell, but also add functionality as desired by generating new scripts.”
He added that it also has the ability to upload and download arbitrary files from the victim host which can further enhance the threat actors’ ability to add functionality to RogueRobin in addition to being able to exfiltrate data.
Before carrying out any of its functionality, the payload checks to see if it is executing in a sandbox by using WMI queries and checks running processes. If the payload determines it is not running in a sandbox, it will attempt to install itself to the system to persistently execute. After providing system specific information, the payload will interact with the C2 server to obtain commands, which the payload refers to as jobs.
The payload itself communicates with its C2 servers using a custom DNS tunneling protocol.
“The DNS tunneling protocol can use multiple different DNS query types to interact with the C2 server,” researchers explained in a posting last week. “The payload has a function it calls early on that tests to see which DNS query types are able to successfully reach the C2 server. It iterates through a list of types and the first DNS type to receive a response from the C2 server will be used for all communications between the payload and the C2 server…the payload will look for different responses to…outbound queries depending on the type of DNS request that the payload uses to communicate with the C2.”
Interestingly, the malware can establish an alternative C2 channel that uses the Google Drive API. This command is disabled by default, but when enabled via a command received from the DNS tunneling channel, it allows RogueRobin to receive a unique identifier and to get jobs by using Google Drive API requests.
“In [this mode], RogueRobin uploads a file to the Google Drive account and continually checks the file’s modification time to see if the actor has made any changes to it,” said the researchers. “The actor will first modify the file to include a unique identifier that the trojan will use for future communications. The trojan will treat all subsequent changes to the file made by the actor as jobs and will treat them as commands.”
While this isn’t a new tactic, it’s not common either, according to Lee.
“Using legitimate services as C2s may be more effective for the adversary as it may be impossible for an organization to outright block the legitimate service, in addition to potentially being able to ‘hide in plain sight.’ since the activity would appear to be legitimate on the surface,” he told us.