A new threat actor group, DarkHydrus, has been targeting government agencies in the Middle East with an attack campaign, coined RogueRobin, to gain backdoor access to the agency systems. The campaign was carried out through targeted spear phishing emails with RAR archive attachments containing malicious Excel Web Queries files (.iqy).

Once the data connection is enabled, Excel pulls content from the URL contained in the .iqy file and stores this in the ‘A0’ cell in the worksheet.

DarkHydrus employs this functionality to retrieve and install the malicious PowerShell-based payload from a remote server, establishing communication with a C2 server using a custom DNS tunneling protocol.

To persistently execute, a shortcut is then created in the Windows startup folder to run the script every time the user logs in.

The updated LogPoint generic Malware Threat Detection application provides you with a comprehensive package to detect any malware infection in just a few simple steps. The list of updated IoCs required to run the application are as follows.

List Name Values
1 MALWARE_HASH List of all hash values of malicious files and applications
2 MALWARE_FILE List of all malicious files and applications
3 MALWARE_EMAIL List of all email addresses of known attacker
4 MALWARE_IP List of all malicious ip addresses
5 MALWARE_URL List of all malicious urls

This version of the application detects the following malwares:

  • DarkHydrus
  • APT-C-23 and Micropsia
  • QUADAGENT
  • EmissaryPanda
  • Oilrig – DMI Connect
  • PRB-Backdoor and its connection to Oilrig
  • myetherwallet impersonations
  • “SilentLibrarian” (Iranian threat actor Mabna Institute)
  • Arid Viper
  • Malicious Invoice of Telcel Mexican Telecommunication Company

Log Source Requirements

  • Windows Server/Integrity Scanner
    • Detects malicious file installation and malware infected hosts
  • Mail Server
    • Detects any emails sent to malicious address
  • Firewall
    • Detects connection to and from malicious listed sources
  • Web Server/Proxy/Firewall
    • Detects connection to malicious domains and urls

Contact us for more information.