With the latest technology using the security tools to detect the malicious IP addresses having constant watch on the network traffic, led the cybercriminals adopt new ways and legal services to mask the malicious activities of their attacks. Lately, the cybersecurity researchers have spotted a new malware attack campaign that is linked to the DarkHydrus APT group who uses Google Drive as its command-and-control server (C2). The DarkHydrus APT was first detected in August, 2018 when the APT group was busy leveraging the open-source phishing tool in an intention to carry out the credential-harvesting campaign against the government entities and the educational institutions located in the Middle East.
The recent malicious attack campaign was conducted by the DarkHydrus APT group who was also observed against the targets in the Middle East which is revealed by the reports published by the 360 Threat Intelligence Center (360ITC) and the Palo Alto Networks. But this time, the cybercriminals are implementing a new variant of their backdoor Trojan named RogueRobin that is reported to infect the victims’ computers by tricking the victims into opening a Microsoft Excel document that contains embedded VBA macros in place of exploiting any Windows zero-day vulnerability.
The process undergoes enabling the macro drops, a malicious text or .txt file in the temporary directory and then leveraging the legitimate ‘regsvr32.exe’ application to run it and finally installing the RogurRobin backdoor Trojan written in the C# programming language on the infected system. Similar to the actual version, the new variant of RogurRobin as well uses DNS tunnelling to communicate with its command-and-control server. DNS tunnelling simply refers to sending or receiving data and commands through the DNS query packets. Besides this, the malware DarkHydrus APT, has also been designed aiming to use the Google Drive APIs as an alternative channel to send and receive commands from the hackers.