RogueRobin
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
RogueRobin created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.(Citation: Unit 42 DarkHydrus July 2018) |
.009 | Boot or Logon Autostart Execution: Shortcut Modification |
RogueRobin establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019) |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
RogueRobin uses a command prompt to run a PowerShell script from Excel.(Citation: Unit 42 DarkHydrus July 2018) To assist in establishing persistence, RogueRobin creates |
.003 | Command and Scripting Interpreter: Windows Command Shell |
RogueRobin uses Windows Script Components.(Citation: Unit42 DarkHydrus Jan 2019)(Citation: Unit 42 DarkHydrus July 2018) |
||
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
RogueRobin base64 encodes strings that are sent to the C2 over its DNS tunnel.(Citation: Unit 42 DarkHydrus July 2018) |
Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
The PowerShell script with the RogueRobin payload was obfuscated using the COMPRESS technique in `Invoke-Obfuscation`.(Citation: Unit 42 DarkHydrus July 2018)(Citation: GitHub Invoke-Obfuscation) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
RogueRobin enumerates running processes to search for Wireshark and Windows Sysinternals suite.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019) |
Enterprise | T1218 | .010 | System Binary Proxy Execution: Regsvr32 |
RogueRobin uses regsvr32.exe to run a .sct file for execution.(Citation: Unit42 DarkHydrus Jan 2019) |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
RogueRobin uses WMI to check BIOS version for VBOX, bochs, qemu, virtualbox, and vm to check for evidence that the script might be executing within an analysis environment. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019) |
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
RogueRobin has used Google Drive as a Command and Control channel. (Citation: Unit42 DarkHydrus Jan 2019) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0079 | DarkHydrus |
(Citation: Unit 42 DarkHydrus July 2018) (Citation: Unit42 DarkHydrus Jan 2019) |
References
- Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
- Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
- Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.