New variant of RogueRobin trojan uses DNS tunneling to communicate with C2 server

• The infamous DarkHydrus threat actor group is behind the new variant of RogueRobin trojan.
• It is used against firms in the Middle East.

A new attack campaign that is used to distribute a new variant of RogueRobin trojan has been observed by security researchers. The attack is performed by the infamous DarkHydrus threat actor group and is being used against targets in the Middle East.

Propogation method

Researchers at 360’s Threat Intelligence Center (360 TIC) reported that the variant is propagated via a malicious macro that comes embedded within an Excel document.

“This malware is a lure Excel document with the name ‘الفهارس.xlsm’. When it is opened, embedded VBA macro is triggered to run. That macro drops 12-B-366.txt to ‘%TEMP%’ directory first, then leverages regsvr32.exe to run 12-B-366.txt,” said 360 TIC researchers in their analysis report.

Using Google Drive to send instructions

DarkHydrus uses Google Drive to send instructions to the RogueRobin trojan variant. The command is referred to as ‘x-mode’ and is disabled by default. However, the bad actors can turn it on via DNS tunneling channel - which enables the malware to connect with the attacker’s C2 server.

Once the RogueRobin variant connects with the C2 server, it receives instruction for downloading malicious URLs that can be used to upload and update both files and authentication details.

In yet another report, researchers at Unit 42 found that “in addition to checks for common analysis tools running on the system. The Trojan also checks to see if a debugger is attached to its processes and will exit if it detects the presence of a debugger.”

If a debugger is identified, the query resolves to a hex-coded subdomain such as 676f6f646c75636b.gogle[.]co - which is decoded as ‘goodluck.’

"This DNS query likely exists as a note to researchers or possibly as an anti-analysis measure, as it will only trigger if the researcher has already patched the initial debugger check to move onto the C2 function," the Unit 42 researchers explain.

The latest evolution in RogueRobin indicates that DarkHydrus group are adding new techniques to their attack methods. They have shifted their previous PowerShell-based RogueRobin code to a new variant that can be executed via malicious excel document.