20 January 19, 09:34
(This post was last modified: 20 January 19, 09:38 by silversurfer.)
Quote:New malicious campaigns attributed to DarkHydrus APT group show the adversary's use of a new variant of the RogueRobin Trojan and of Google Drive as an alternative command and control (C2) communication channel.
The group's latest activity was observed against targets in the Middle East, luring them with Excel documents laced with malicious VBA code (macro).
For security reasons, macros are disabled by default in the Microsoft Office suite, and they do not run unless the user enables the feature manually.
According to research from Palo Alto Networks' Unit 42, the text file hides a Windows Script Component (.SCT) file that delivers a version of the RogueRobin trojan. Originally, this custom payload is PowerShell-based, but it looks like the threat actor ported it to a compiled variant.
In a report this week, Unit 42 writes that "in addition to checks for common analysis tools running on the system. The Trojan also checks to see if a debugger is attached to its processes and will exit if it detects the presence of a debugger."
Source: https://www.bleepingcomputer.com/news/se...in-trojan/
![[-]](https://www.geeks.fyi/images/collapse.png)
