The DarkHydrus advanced persistent threat (APT) group is back and this time is not only using Windows vulnerabilities to infect victims but is also abusing Google Drive as an alternative communications channel.
Last week, researchers from the 360 Threat Intelligence Centre (360TIC) said the hackers have a new campaign underway which is focusing on targets in the Middle East.
The threat has been called "sneaky" and "creative” by security experts, who first secured samples of malicious Microsoft Excel documents on 9 January 2019.
The RogueRobin Trojan deployed in recent attacks appears to be a compiled variant which will collect and send stolen system information, including host names, to a command-and-control (C2) server through a DNS tunnel.
However, if this tunnel is not available, the Trojan contains instructions under the name "x_mode" to use Google Drive as an alternative file server which acts as a backup should the main C2 communication route fail.
The APT has been active since at least 2017 with various credential-harvesting campaigns. DarkHydrus tends to use spear-phishing emails which lure victims to provide login details through an attached 'template' file hosted on remote servers controlled by the attackers.
DarkHydrus uses open-source phishing tools to create the malicious documents required by these attacks and entices victims to open these files with names such as "project proposal."
The APT is also believed to be using CVE-2018-8414, a Microsoft Windows validation path vulnerability which can result in remote code execution when exploited.
"In recent APT incidents, more and more threat actors tend to adopt Office VBA macro instead of Office zero-day vulnerabilities in the consideration of cost reduction" the researchers say.
"It is recommended that users avoid opening documents from untrusted sources."
If you would like to talk through any issues or concerns you have regarding the security of your network, one of our cyber security experts would love to help. Contact us on 01482 210999 or email [email protected]