DarkHydrus Creates Trojan That Uses Google Drive For C2 Communications
The DarkHydrus group have created a new variant of the RogueRobin Trojan, this new version can use Google Drive as an alternative command and control (C2) server. DarkHydrus uses spear-phishing emails which lure victims to provide login details through an attached ‘template’ file hosted on remote servers that are controlled by the attackers.
The latest activity was observed against targets in the Middle East, luring them with Excel documents laced with malicious VBA code (macro). Macros are disabled by default in the Microsoft Office suite, and they do not run unless the user enables the feature manually.
DarkHydrus compiled RogueRobin with an extra command, that allows it to use Google Drive as a secondary method for sending their instructions.
The command is called ‘x_mode’ and it is disabled by default. However, the adversary can turn it on via DNS tunneling channel, which is the main communication line with the C2 server.
Indicators of Compromise
Delivery Document SHA256
513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8
e068c6536bf353abe249ad0464c58fb85d7de25223442dd220d64116dbf1e022
4e40f80114e5bd44a762f6066a3e56ccdc0d01ab2a18397ea12e0bc5508215b8
RogueRobin SHA256
eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97
f1b2bc0831445903c0d51b390b1987597009cc0fade009e07d792e8d455f6db0
5cc62ad6baf572dbae925f701526310778f032bb4a54b205bada78b1eb8c479c
RogueRobin C2s
akdns[.]live
akamaiedge[.]live
edgekey[.]live
akamaized[.]live
0ffice365[.]agency
0nedrive[.]agency
corewindows[.]agency
microsoftonline[.]agency
onedrive[.]agency
sharepoint[.]agency
skydrive[.]agency
0ffice365[.]life
0ffice365[.]services
skydrive[.]services
skydrive[.]agency
Nameservers
tvs1.trafficmanager[.]live
tvs2.trafficmanager[.]live
tbs1.microsoftonline[.]services
tbs2.microsoftonline[.]services
brit.ns.cloudfronts[.]services
dns.cloudfronts[.]services
ns2.akadns[.]services
britns.akadns[.]services
britns.akadns[.]live
ns2.akadns[.]live
Related Domains
iecvlist-microsoft[.]live
data-microsoft[.]services
asimov-win-microsoft[.]services
onecs-live[.]services
akamaiedge[.]services
phicdn[.]world
azureedge[.]today
nsatc[.]agency
Akamai[.]agency
t-msedge[.]world
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.