A new threat actor group, DarkHydrus, has been targeting government agencies in the Middle East with an attack campaign, coined RogueRobin, to gain backdoor access to the agency systems. The campaign was carried out through targeted spear phishing emails with RAR archive attachments containing malicious Excel Web Queries files (.iqy).

Once the data connection is enabled, Excel pulls content from the URL contained in the .iqy file and stores this in the ‘A0’ cell in the worksheet.

DarkHydrus employs this functionality to retrieve and install the malicious PowerShell-based payload from a remote server, establishing communication with a C2 server using a custom DNS tunneling protocol.

To persistently execute, a shortcut is then created in the Windows startup folder to run the script every time the user logs in.

The updated LogPoint generic Malware Threat Detection application provides you with a comprehensive package to detect any malware infection in just a few simple steps. The list of updated IoCs required to run the application are as follows.

List NameValues
1MALWARE_HASHList of all hash values of malicious files and applications
2MALWARE_FILEList of all malicious files and applications
3MALWARE_EMAILList of all email addresses of known attacker
4MALWARE_IPList of all malicious ip addresses
5MALWARE_URLList of all malicious urls

This version of the application detects the following malwares:

  • DarkHydrus
  • APT-C-23 and Micropsia
  • EmissaryPanda
  • Oilrig – DMI Connect
  • PRB-Backdoor and its connection to Oilrig
  • myetherwallet impersonations
  • “SilentLibrarian” (Iranian threat actor Mabna Institute)
  • Arid Viper
  • Malicious Invoice of Telcel Mexican Telecommunication Company

Log Source Requirements

  • Windows Server/Integrity Scanner
    • Detects malicious file installation and malware infected hosts
  • Mail Server
    • Detects any emails sent to malicious address
  • Firewall
    • Detects connection to and from malicious listed sources
  • Web Server/Proxy/Firewall
    • Detects connection to malicious domains and urls

Contact us for more information.