Recent developments in the cybersecurity landscape have revealed a concerning trend wherein malicious actors leverage the infrastructure of legitimate online services to disguise their activities. According to experts, the latest campaign attributed to the DarkHydrus APT group has now employed Google Drive as its command-and-control (C2) server, a notable shift in tactics intending to evade detection from traditional security measures that monitor network traffic.
DarkHydrus gained initial attention in August 2022, utilizing the open-source Phishery tool for credential theft targeting various governmental and educational organizations, primarily situated in the Middle East. Building on this foundation, the group has recently launched a new operation, focusing once again on the same geographic area, as corroborated by reports from the 360 Threat Intelligence Center and Palo Alto Networks.
In this fresh wave of attacks, DarkHydrus has introduced a variant of its backdoor Trojan, known as RogueRobin. This malware spreads by manipulating victims into opening Microsoft Excel documents that harbor embedded VBA macros, avoiding exploitation of any known Windows vulnerabilities. Upon enabling the macros, the malware instigates the creation of a malicious text file in the system’s temporary directory and exploits the legitimate regsvr32.exe application to execute the payload, ultimately installing the RogueRobin backdoor coded in C#.
Researchers at Palo Alto Networks have noted that RogueRobin incorporates various stealth mechanisms designed to ascertain whether it is operating in a sandbox environment conducive to analysis. These mechanisms involve checks for virtualized setups, processor counts, and common analysis tools, as well as integrating anti-debugging code to further ensure evasion from scrutiny.
Adding a layer of sophistication, RogueRobin employs DNS tunneling for its communications with the C2 server. This technique allows data to be sent and received via DNS query packets. However, in a significant evolution of its capabilities, the malware has also been integrated with Google Drive APIs, providing an alternative method for transmitting data back to its operators. It routinely uploads files to a designated Google Drive account, continually monitoring modification timestamps to detect any changes made by the attackers.
The shift to utilizing legitimate cloud services for C2 communications illustrates a broader trend among APT groups to exploit trusted platforms to maintain operational secrecy. This trend aligns with tactics identified in the MITRE ATT&CK framework, specifically tactics related to initial access, persistence, and command-and-control communication.
Business owners and professionals should remain vigilant, particularly given that the use of VBA macros is a legitimate feature within MS Office; many antivirus programs do not flag documents containing this code as a threat. The safest practice is to scrutinize any unexpected attachments and avoid interacting with embedded links unless the source has been verified.
In a cybersecurity landscape where threats are constantly evolving, continuous education and cautious behavior remain paramount in defending against sophisticated attacks like the one posed by the DarkHydrus group.
