Researchers at 360’s Threat Intelligence Centre (360 TIC) identified attacks carried out by a group called DarkHydrus advanced persistent threat (APT), against targets in the Middle East of political value, luring them with Excel documents laced with malicious VBA code (macro).
Macro are disabled by default in the Microsoft Office suite for security reasons, and they do not run unless the user enables the feature manually, but the written-in-Arabic Excel documents created by the DarkHydrus group enable macro, then the group do several additional steps to drop a backdoor, which is a new variant of the RogueRobin Trojan, on the victim’s machine allowing them to fully control it.
According to research from Palo Alto, the RogueRobin Trojan deployed in these attacks appears to be a compiled variant that will collect and send stolen system information, including hostnames, to a command-and-control (C2) server through a DNS tunnel.
If this tunnel is not available, the Trojan contains a command under the name “x_mode” to exchange information through Google Drive: URL for downloading, uploading, updating files, and authentication details. Alphabet Inc, the owner of Google was not immediately available for comment.
The DarkHydrus group has been active since at least 2017 with various credential-harvesting campaigns. DarkHydrus tends to use spear-phishing emails which lure victims to provide login details through an attached ‘template’ file hosted on remote servers controlled by the attackers.
They use open-source phishing tools to create the malicious documents required by these attacks and entice victims to open these files with names such as “project proposal.”
It is not the first time the group target Middle East, in August 2018, DarkHydrus group made headlines for leveraging the open-source Phishery tool to conduct a credential-stealing campaign against government and educational institutions in the region.