What is the threat?
Cyber researchers have recently found that there’s a custom-developed malware known as RogueRobin which uses multiple techniques to upload and download files to/from affected host(s). It was reported that the cyber threat adversary, DarkHydrus, is responsible for this attack which targets organizations with spear-phishing emails and open-source penetration testing techniques including the AppLocker bypass.
Why is this noteworthy?
One of the “multiple techniques” that this malware uses is its command-and-control efforts of the Google Drive platform. It uses a custom DNS tunneling protocol in order to enable a command within the Google Drive API that is disabled by default. This malware has been previously seen in a PowerShell-based form. This new campaign uses a form of the malware written in C++ programming language.
What is the exposure or risk?
The risk of this kind of attack being executed has definitely been determined: The user’s files are in danger of being stolen, deleted, and/or manipulated. The payload associated with the RogueRobin malware acts as a backdoor that can even provide open access to actors with malicious intents. Having that backdoor available to one malicious party surely means it is available to others and considering that this whole attack does use a tried-and-true platform such as Google Drive, customers may not necessarily be able to easily block this threat.
What are the recommendations?
SKOUT has implemented detection methods in our NeverBlink monitoring platform to alert on RogueRobin malware. Also its recommended to implement blocking of the Indications of Compromise shown here :IOC. It is highly recommended that users check the sender’s legitimacy and not click on unsolicited attachments. Also recommended is a strong endpoint protection that will help safeguard against RogueRobin.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Secure Intelligence Center.