Since most security tools also keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly adopting infrastructure of legitimate services in their attacks to hide their malicious activities.
Cybersecurity researchers have now spotted a new malware attack campaign linked to the notorious DarkHydrus APT group that uses Google Drive as its command-and-control (C2) server.
DarkHydrus first came to light in August last year when the APT group was leveraging the open-source Phishery tool to carry out credential-harvesting campaign against government entities and educational institutions in the Middle East.
The latest malicious campaign conducted by the DarkHydrus APT group was also observed against targets in the Middle East, according to reports published by the 360 Threat Intelligence Centre (360TIC) and Palo Alto Networks.
This time the advanced threat attackers are using a new variant of their backdoor Trojan, called RogueRobin, which infects victims’ computers by tricking them into opening a Microsoft Excel document containing embedded VBA macros, instead of exploiting any Windows zero-day vulnerability.
Enabling the macro drops a malicious text (.txt) file in the temporary directory and then leverages the legitimate ‘regsvr32.exe’ application to run it, eventually installing the RogueRobin backdoor written in C# programming language on the compromised system.
images from Hacker News