Malware Using Google Drive To Proliferate RogueRobin Trojan

RogueRobin Trojan

Disguising malicious acts under legit services has now become sort of trend proudly used by hackers. Most of the security tools look out for malicious IP addresses on the network traffic. But what if cybercriminals are utilizing legitimate services’ infrastructure to hide their malicious activities while attacking?

Isn’t it dangerous?

As per cybersecurity researchers, a new malware attack associated with the infamous DarkHydrus APT group uses Google Drive as its C2 (command-and-control) server.

Insight To DarkHydrus APT Operations In 2018

DarkHydrus came into existence in August 2018, when the APT group was taking advantage of an open-source Phishery tool to perform credential-harvesting campaign against educational institutions and government entities in the Middle East.

As per a report by 360 Threat Intelligence Center & Palo Alto Networks, the new malicious attack is carried by DarkHydrus APT was also performed against the Middle East.

How This Attack Works?

This time, the advanced threat attackers used a new variant to backdoor Trojan, described as RogueRobin. This trojan can infect victims’ computers by fooling them into opening an MS Excel document which contains embedded VBA macros, instead of abusing any Windows zero-day vulnerability.

Facilitating the macro slides a malicious .txt file in the temporary directory & influence the legitimate ‘regsvr32.exe’ application to run it, ultimately installing RogueRobin backdoor written in C# programming language on the hacked computer system.

RogueRobin Trojan
Image Source: Hacker News

 

As per some researchers at Palo Alto, a cybersecurity company, the trojan RogueRobin incorporates various stealth functions to investigate if it is performed in the sandbox environment, this involves monitoring low memory, virtualized environments, processor counts and general analysis tools working on the system. Also, it includes an anti-debug code.

Similar to the original version, this new variant of RogueRobin also utilizes DNS tunnelling, a method of sending or recovering data & commands via DNS query packets in order to interact with its command-and-control server.

Although, researchers noticed that apart from DNS tunnelling, the malware also intended to use Google Drive APIs as a substitute channel to send/receive data and commands from hackers.

Also Read : Duqu Virus: The Most Complicated Malware Ever?

According to researchers at Palo Alto, the malware, RogueRobin uploads a file to Google Drive account and constantly monitors the file modification time to see whether the actor has made changes to the file. The actor will change the file to involve a unique identifier which will be used by Trojan for further communications.

This new malware attack insinuates that APT hacking groups have changed their focus point to misusing legit services for their command-and-control infrastructure to avoid detection.

Note: As VBA macros is a legit feature, almost all the Antivirus software doesn’t spot it as malicious content or block the Microsoft Office document containing VBA code.

How To Protect Yourselves?

The best way to avoid getting infected from this kind of malware campaign is to stay alert and check all the unwanted document sent using email. Also, vow to never open links inside those unwanted documents without verifying the source properly.

These malware attacks are a wakeup call and examples of how much hackers have improvised to stay hidden while carrying out their malware operations. Therefore, staying alert is the one thing that you can do to stay safe.

What do you think? Please share your views in the comments section below.

Must Read : 5 Ways You Could Get A Malware Onboard From Social Media