New malware found using Google Drive as its command-and-control server
Since most security tools also keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly adopting infrastructure of legitimate services in their attacks to hide their malicious activities.
Cybersecurity researchers have now spotted a new malware attack campaign linked to the notorious DarkHydrus APT group that uses Google Drive as its command-and-control (C2) server.
DarkHydrus first came to light in August last year when the APT group was leveraging the open-source Phishery tool to carry out credential-harvesting campaign against government entities and educational institutions in the Middle East.
This time the advanced threat attackers are using a new variant of their backdoor Trojan, called RogueRobin, which infects victims' computers by tricking them into opening a Microsoft Excel document containing embedded VBA macros, instead of exploiting any Windows zero-day vulnerability.
Enabling the macro drops a malicious text (.txt) file in the temporary directory and then leverages the legitimate 'regsvr32.exe' application to run it, eventually installing the RogueRobin backdoor written in C# programming language on the compromised system.
According to Palo Alto researchers, RogueRobin includes many stealth functions to check whether it is executed in the sandbox environment, including checking for virtualized environments, low memory, processor counts, and common analysis tools running on the system. It also contains anti-debug code.
Like the original version, the new variant of RogueRobin also uses DNS tunneling—a technique of sending or retrieving data and commands through DNS query packets—to communicate with its command-and-control server.
The new malware campaign suggests that the APT hacking groups are shifting more towards abusing legitimate services for their command-and-control infrastructure to evade detection.
It should be noted that since VBA macros is a legitimate feature, most antivirus solutions do not flag any warning or block MS Office documents with VBA code.
The best way to protect yourself from such malware attacks is always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless properly verifying the source.