HomeWinBuzzer NewsRogueRobin Malware Uses Google Drive to Gain System Access Through C2 Channel

RogueRobin Malware Uses Google Drive to Gain System Access Through C2 Channel

A new RogueRobin malware has been described by security researchers, which can use Google Drive as a C2 Channel for system access.


Table of Contents:

A new custom malware has been described by Palo Alto's Unit 42 intelligence and security division. Known as DarkHydras and RogueRobin, the malware uses several techniques, including Drive to substitute a command-and-control (C2) channel.

Unit 42 says the targeted attack includes a spear phishing campaign involving Arabic emails sent to organizations. These emails include Excel documents with enabled macros and .xlsm file extensions.

Attackers can use RogueRobin as a backdoor into systems. This is not the first time this malware type as been seen, it was previously executed through PowerShell. This new campaign can move through and has been written in C+.

“RogueRobin is a fully featured backdoor that can provide a variety of functionality to the ,” said Bryan Lee, principal researcher at Palo Alto Networks, speaking to Threatpost.

“It specifically allows the DarkHydrus operators to remotely execute PowerShell scripts. Meaning they would be able to not only take advantage of any features within the scope of PowerShell. And also add functionality as desired by generating new scripts.”

C2 Channel

Bad actors can also use DarkHydrus to upload and download files from the victim to make RogueRobin more potent. Before implementing its payload, the malware runs a check to see if it is running in a sandbox. This makes it able to bypass some security checks. The C2 server is accessed to obtain system commands, achieved through a custom DNS protocol:

“The DNS tunneling protocol can use multiple different DNS query types to interact with the C2 server,” researchers explained in a posting last week. “The payload has a function it calls early on that tests to see which DNS query types are able to successfully reach the C2 server. It iterates through a list of types and the first DNS type to receive a response from the C2 server will be used for all communications between the payload and the C2 server…the payload will look for different responses to…outbound queries depending on the type of DNS request that the payload uses to communicate with the C2.”

Google Drive

RogueRobin is able to make an alternative C2 channel by running through the Google Drive API.

“In [this mode], RogueRobin uploads a file to the Google Drive account and continually checks the file's modification time to see if the actor has made any changes to it,” added the researchers. “The actor will first modify the file to include a unique identifier that the trojan will use for future communications. The trojan will treat all subsequent changes to the file made by the actor as jobs and will treat them as commands.”

SourceUnit 42
Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News

Table of Contents:

Table of Contents: