A threat actor that is relatively new to the scene relies on open-source tools for spear-phishing attacks designed to steal credentials from government and educational institutions in the Middle East.
The group is being tracked as DarkHydrus by researchers at Palo Alto Networks Unit 42, who observed it using
Phishery in a recent credential harvesting attack. Previous campaigns utilized
Meterpreter,
Cobalt Strike,
Invoke-Obfuscation,
Mimikatz,
PowerShellEmpire, and
Veil. The typical method employed is to weaponize Office documents that retrieves malicious code from a remote site when executed.
In an attack in June, DarkHydrus targeted an educational entity with an email carrying the subject line “Project Offer,” and had a Word document as the attachment. Once the Word document was launched, it prompted the user to enter their username and password in a an authentication prompt. If they did that, the credentials would be sent directly to the command and control server of the malicious actor.
All this would seem legitimate for an unwitting person, especially since the dialog box showed a connection to a fairly familiar domain.