New Malware Campaign Utilizes Google Drive as C2 Server

Advanced Persistent Threat (APT) group DarkHydrus released a new version of their backdoor trojan, RogueRobin, in a campaign against the Middle East. The infection initiates via a Microsoft Excel document containing an embedded, malicious macro. The macro drops a .txt file in the temporary directory which is executed by a legitimate application, regsvr32.exe, to run and install the RogueRobin backdoor. The malware is highly notable for its use of Google Drive as its command-and-control (C2) server and employs several stealth methods to check for sandbox or virtualization environments, low memory, processor count, and other analysis tools. Additionally, RogueRobin uses DNS tunneling or communication through the Google Drive API to talk to its C2 server. It is expected that threat actors will increasingly incorporate legitimate services like Google Drive into their malware operations to help avoid detection. The NJCCIC highly discourages all users from enabling macros in documents that come in unexpected or unsolicited emails; and recommends exercising caution when choosing to enable macros in documents that come with emails from known senders; and keeping anti-virus/anti-malware, hardware, and software up-to-date. More information is detailed in a post from Palo Alto Network’s Unit 42.