A new custom malware has been described by Palo Alto's Unit 42 intelligence and security division. Known as DarkHydras and RogueRobin, the malware uses several techniques, including Google Drive to substitute a command-and-control (C2) channel.
Unit 42 says the targeted attack includes a spear phishing campaign involving Arabic emails sent to organizations. These emails include Excel documents with enabled macros and .xlsm file extensions.
Attackers can use RogueRobin as a backdoor into systems. This is not the first time this malware type as been seen, it was previously executed through PowerShell. This new campaign can move through Google Drive and has been written in C+.
“RogueRobin is a fully featured backdoor that can provide a variety of functionality to the threat actors,” said Bryan Lee, principal researcher at Palo Alto Networks, speaking to Threatpost.
“It specifically allows the DarkHydrus operators to remotely execute PowerShell scripts. Meaning they would be able to not only take advantage of any features within the scope of PowerShell. And also add functionality as desired by generating new scripts.”
Bad actors can also use DarkHydrus to upload and download files from the victim to make RogueRobin more potent. Before implementing its payload, the malware runs a check to see if it is running in a sandbox. This makes it able to bypass some security checks. The C2 server is accessed to obtain system commands, achieved through a custom DNS protocol:
“The DNS tunneling protocol can use multiple different DNS query types to interact with the C2 server,” researchers explained in a posting last week. “The payload has a function it calls early on that tests to see which DNS query types are able to successfully reach the C2 server. It iterates through a list of types and the first DNS type to receive a response from the C2 server will be used for all communications between the payload and the C2 server…the payload will look for different responses to…outbound queries depending on the type of DNS request that the payload uses to communicate with the C2.”
RogueRobin is able to make an alternative C2 channel by running through the Google Drive API.
“In [this mode], RogueRobin uploads a file to the Google Drive account and continually checks the file's modification time to see if the actor has made any changes to it,” added the researchers. “The actor will first modify the file to include a unique identifier that the trojan will use for future communications. The trojan will treat all subsequent changes to the file made by the actor as jobs and will treat them as commands.”