Since the majority of security tools also monitor network traffic to detect malicious IP addresses, attackers increasingly utilize the infrastructure of legitimate services to conceal their malicious activities.
Researchers have discovered a new malware attack campaign associated with the infamous DarkHydrus APT group, which uses Google Drive as its command-and-control (C2) server.
DarkHydrus was discovered for the first time in August of last year when an advanced persistent threat (APT) group was using the open-source Phishery tool to conduct a credential-harvesting campaign against government entities and educational institutions in the Middle East.
According to reports published by the 360 Threat Intelligence Center (360TIC) and Palo Alto Networks, the latest malicious campaign carried out by the DarkHydrus APT group was also observed against targets in the Middle East.
This time, the advanced threat attackers are employing a new variant of their RogueRobin backdoor Trojan, which infects victims’ computers by tricking them into opening a Microsoft Excel document with embedded VBA macros, as opposed to exploiting a zero-day Windows vulnerability.
Enabling the macro drops a malicious text (.txt) file in the temporary directory and then uses the legitimate’regsvr32.exe’ application to execute it, ultimately installing the RogueRobin backdoor written in the C# programming language on the compromised system.
According to researchers from Palo Alto, RogueRobin includes several stealth functions to determine if it is running in a sandbox environment, such as checking for virtualized environments, low memory, processor counts, and common analysis tools. It contains anti-debug code as well.
The new variant of RogueRobin communicates with its command-and-control server using DNS tunneling, a technique for sending or retrieving data and commands through DNS query packets.
However, researchers discovered that in addition to DNS tunneling, the malware was also designed to use Google Drive APIs as an alternative channel for sending and receiving data and commands from hackers.
“RogueRobin uploads a file to the actor’s Google Drive account and continuously checks the file’s modification time to determine whether the actor has modified it. The actor will modify the file to include a unique identifier for future communications by the Trojan “According to Palo Alto researchers,
The new malware campaign suggests that APT hacking groups are utilizing more legitimate services for their command-and-control infrastructure to avoid detection.
It should be noted that since VBA macros are a legitimate feature, the majority of antivirus programs do not issue a warning or block Microsoft Office documents containing VBA code.
The best way to protect yourself from such malware attacks is to always be suspicious of any uninvited email attachments and to never click on links within these attachments without first verifying their source.