A new threat actor group, DarkHydrus, has been targeting government agencies in the Middle East with an attack campaign, coined RogueRobin, to gain backdoor access to the agency systems. The campaign was carried out through targeted spear phishing emails with RAR archive attachments containing malicious Excel Web Queries files (.iqy).
Once the data connection is enabled, Excel pulls content from the URL contained in the .iqy file and stores this in the ‘A0’ cell in the worksheet.
DarkHydrus employs this functionality to retrieve and install the malicious PowerShell-based payload from a remote server, establishing communication with a C2 server using a custom DNS tunneling protocol.
To persistently execute, a shortcut is then created in the Windows startup folder to run the script every time the user logs in.
The updated LogPoint generic Malware Threat Detection application provides you with a comprehensive package to detect any malware infection in just a few simple steps. The list of updated IoCs required to run the application are as follows.
|1||MALWARE_HASH||List of all hash values of malicious files and applications|
|2||MALWARE_FILE||List of all malicious files and applications|
|3||MALWARE_EMAIL||List of all email addresses of known attacker|
|4||MALWARE_IP||List of all malicious ip addresses|
|5||MALWARE_URL||List of all malicious urls|
This version of the application detects the following malwares:
- APT-C-23 and Micropsia
- Oilrig – DMI Connect
- PRB-Backdoor and its connection to Oilrig
- myetherwallet impersonations
- “SilentLibrarian” (Iranian threat actor Mabna Institute)
- Arid Viper
- Malicious Invoice of Telcel Mexican Telecommunication Company
Log Source Requirements
- Windows Server/Integrity Scanner
- Detects malicious file installation and malware infected hosts
- Mail Server
- Detects any emails sent to malicious address
- Detects connection to and from malicious listed sources
- Web Server/Proxy/Firewall
- Detects connection to malicious domains and urls
Contact us for more information.