Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

RogueRobin

RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)
ID: S0270
Type: MALWARE
Platforms: Windows
Version: 2.2
Created: 17 Oct 2018
Last Modified: 22 Mar 2023

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

RogueRobin created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.(Citation: Unit 42 DarkHydrus July 2018)

.009 Boot or Logon Autostart Execution: Shortcut Modification

RogueRobin establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

RogueRobin uses a command prompt to run a PowerShell script from Excel.(Citation: Unit 42 DarkHydrus July 2018) To assist in establishing persistence, RogueRobin creates %APPDATA%\OneDrive.bat and saves the following string to it:powershell.exe -WindowStyle Hidden -exec bypass -File “%APPDATA%\OneDrive.ps1”.(Citation: Unit42 DarkHydrus Jan 2019)(Citation: Unit 42 DarkHydrus July 2018)

.003 Command and Scripting Interpreter: Windows Command Shell

RogueRobin uses Windows Script Components.(Citation: Unit42 DarkHydrus Jan 2019)(Citation: Unit 42 DarkHydrus July 2018)

Enterprise T1132 .001 Data Encoding: Standard Encoding

RogueRobin base64 encodes strings that are sent to the C2 over its DNS tunnel.(Citation: Unit 42 DarkHydrus July 2018)

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

The PowerShell script with the RogueRobin payload was obfuscated using the COMPRESS technique in `Invoke-Obfuscation`.(Citation: Unit 42 DarkHydrus July 2018)(Citation: GitHub Invoke-Obfuscation)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

RogueRobin enumerates running processes to search for Wireshark and Windows Sysinternals suite.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)

Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

RogueRobin uses regsvr32.exe to run a .sct file for execution.(Citation: Unit42 DarkHydrus Jan 2019)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

RogueRobin uses WMI to check BIOS version for VBOX, bochs, qemu, virtualbox, and vm to check for evidence that the script might be executing within an analysis environment. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)

Enterprise T1102 .002 Web Service: Bidirectional Communication

RogueRobin has used Google Drive as a Command and Control channel. (Citation: Unit42 DarkHydrus Jan 2019)

Groups That Use This Software

ID Name References
G0079 DarkHydrus

(Citation: Unit 42 DarkHydrus July 2018) (Citation: Unit42 DarkHydrus Jan 2019)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.