DarkHydrus group is actively spreading RogueRobin Trojan through Google Drive via Excel documents

Dark hydrus is a threat group that has besieged political and educational sector in the Middle East. The group deeply influenced open-source tools and custom payloads for transfer attacks.

Rogue robin is a computer program that use to get connected to computer system, basically, intended to do harmful things.

Continuing threatening activities, Dark Hydrus advanced persistent threat (ATP) group, has used an alternative way to harm the victims. This time Dark Hydrus is actively spreading Rogue robin through Google Drive via Excel documents that are considered to be the most dangerous Trojan so far.

Researchers of the 360 Threat Intelligence Center have found that hackers have attacked the political values of the Middle East. Recently the new planning of Dark hydrus observed on 9 January 2019, appeared on 360TIC secured samples of malicious Microsoft Excel documents. While the file is opened, in Arabic text, it appeared active VBA macros.

The macro in the sheet drops a text file to a temporary directory which is used to run the legitimate regsvr32.exe process. While a file is active, a backdoor is unlocked in the objective systems by utilizing an infected Office Update Service.exe which covers itself as the Microsoft Office Updater. This update created by the Dark Hydrus group is competent enough to create new registry file and to utilize anti­-analysis method which stops security solutions to working on it. Once the action takes place, collecting and sharing information from the target systems is possible via DNS tunnel.

The Trojan consists of an anti-debug code that employs anti-analysis techniques. RogueRobin Trojan placed in these attacks emerge to be a collect variant which will assemble and send stolen system information, that may be hostnames, to a command-and-control (C2) server through a DNS tunnel.

When this tunnel is not accessible, the Trojan shows directions under the name "x_mode" to use Google Drive as an option file server.

DarkHydrus employ open-source phishing tools to generate the nasty documents as per the needed by these attacks and to tempt victims to check these files. It is highly recommended to avoid opening this type of files from unreliable sources.

DarkHydrus (a threat group) is using Google Drive to spread RogueRobin Trojan
Photo: Getty Images
Previous Post Next Post