• Cybercriminals have been using malicious IQY files to skim under the antivirus radar and trick users into downloading and running malicious scripts through Excel.
  • DarkHydrus used these files to deliver a custom, PowerShell-based payload named RogueRobin.

A new hacker group dubbed DarkHydrus has targeted at least one government agency in the Middle East using malicious IQY files to drop a custom malicious payload and gain backdoor access to the infected system. According to Palo Alto Networks’ Unit 42, the group has been operational since early 2016.

The group has since diverged from its earlier attack methods and was observed using spear-phishing emails against targeted organizations with password-protected RAR archive attachments that contained malicious Excel Web Query (.iqy) files.

Cybercriminals have been increasingly using this novel approach to skim under the antivirus radar and trick users into downloading and running malicious scripts through Excel such as the Flawed Ammyy RAT.

Targeted spear-phishing campaign

In this campaign, DarkHydrus used these files to deliver a custom, PowerShell-based payload named RogueRobin. The spear-phishing emails sent between July 15 and 16 came with a password RAR archive attached named “credential.rar”. The body of the email, written in Arabic, asks the recipient to review the document within the attached RAR archive. It also mentioned that the password required to open the archive is 123456.

The archive contains a malicious .iqy file named “credential.iqy” that contains a URL. If opened by Microsoft Excel, the user is prompted to enable data connections and download data from a remote server. If the user gives consent, Excel obtains content from the URL and a PowerShell script is run that attempts to download and execute a second script. After seeking consent from the user to launch the command prompt application, the the main payload RogueRobin is executed.

RogueRobin backdoor

“Its developer used the open source Invoke-Obfuscation tool to obfuscate this PowerShell script, specifically using the COMPRESS technique offered by Invoke-Obfuscation,” researchers said. “The decompressed PowerShell payload has some similarities to the PowerShell Empire agent, such as the use of a jitter value and commands referred to by job ID, but we do not have conclusive evidence that the author of this tool used Empire as a basis for their tool.”

Although the PowerShell backdoor may have been custom developed by DarkHydrus, it is also likely that they pieced it together using code from legitimate open source tools, researchers said.

RogueRobin first checks to see if it is being executed within a sandbox environment using WMI queries and checking running processes. Once it determines it isn’t running in a sandbox, it attempts to install itself and persistently execute in the infected system. It also communicates with its command and control (C2) servers using a custom DNS tunneling protocol.

“To establish communications with the C2, the payload will first get a system specific identifier issued by the C2 server,” researchers said. “Once the system identifier is obtained, the payload gathers system specific information and sends it to the C2 server” such as the computer name, username, IP address and more. The payload also interacts with its C2 server to obtain commands for remote administration capabilities.

Interestingly, the domains configured with the payload to be used as C2s seemed to spoof the legitimate domain of popular technology providers or security vendors such as Kaspersky, Fortiweb, Symantec Live and Windows Defender among others.

The listed C2 servers all resolved to IPs linked to a service provider in China, researchers said. Upon further analysis of the IPs, researchers uncovered additional domains used as C2s to deliver other weaponized documents and payloads in 2017. One domain in particular - cisc0[.]net has been previously linked to the Iranian threat group CopyKittens by ClearSky Security.

Weaponized documents

“While there are significant tactical overlaps such as similarity of techniques used as well as victimology, we were unable to uncover significant evidence of relational overlaps,” Unit 42 said. “Studying the other samples, we have attributed to DarkHydrus, we are able to ascertain that this adversary has mainly leveraged weaponized Microsoft Office documents using tools available freely or from open source repositories such as Meterpreter, Mimikatz, PowerShellEmpire, Veil, and CobaltStrike.

“The documents generally do not contain malicious code and instead are weaponized to retrieve remote files containing malicious code on execution. Due to the modular nature of the delivery document, available data for analysis for these attacks are dependent upon the operational nature of the C2 server at the time of execution.”

Cyware Publisher