silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,057
The DarkHydrus threat group has added new functionality to the payloads used in recent attacks and is also leveraging Google Drive for command and control (C&C) purposes, Palo Alto Networks security researchers say.
Initially detailed in the summer of 2018, when it was using open-source tools in attacks targeting government entities in the Middle East, the group was also registering typosquatting domains for security or technology vendors and leveraging novel file types as anti-analysis techniques.
The security researchers collected a total of three DarkHydrus delivery documents that were delivering a new variant of the group’s RogueRobin Trojan. None of these macro-enabled Excel documents contained instructions for the intended victims to enable the macros but such instructions might have been provided at delivery.
Palo Alto Networks’ researchers couldn’t establish how the documents were delivered or when they were used in attacks, but they believe DarkHydrus created these documents in December 2018 and January 2019.