DarkHydrus Abuses Google Drive To Inject RogueRobin Trojan
DarkHydrus - a malicious hackers group recognized as an advanced persistent threat (APT) is back and this time is not only using Windows vulnerabilities but is also abusing google drive as an alternative communication channel to spread RogueRobin Trojan horse and perform other malicious activities, as well as avoid detection by antivirus programs.
The DarkHydrus trojan virus was first discovered in July last year when group carried out its illegitimate activities and attacks against government organizations and educational institutions in the Middle East.
Recently, the group has launched a yet another attack, striking against the political targets in the Middle East.
This time, the DarkHydrus APT is found using Google Drive to communicate with backdoor Trojan called as RogueRobin which is using weaponized Microsoft Excel documents to compromise victim’s system.
These Excel documents are written in Arabic and contain embedded VBA macros which will trigger the malicious commands if the file is opened.
The macro in the malicious document downloads a .TXT file to a temporary directory and then the legitimate 'regsvr32.exe' application is used to run the text file.
According to researches, the text file hides a Windows Script Component (.SCT) file that delivers a version of the RogueRobin Trojan on the targeted system.
The malicious program is written in a C# programming language and the trojan contains the anti-debug code which makes it even more complicated.
The samples of the RogueRobin trojan implement additional functionality and include Google Drive API as a secondary method for sending the malicious commands.
This new feature allows the remote attackers to use Google Drive as an alternative C&C server and makes it even more difficult to detect the malicious traffic.
The RogueRobin Trojan is used to accumulate and send system information including hostnames, to C&C server through a DNS tunnel.
However, if the DNS tunnel is not available, the trojan will contain the instructions under the name "x mode" to use Google Drive as an alternative file server which acts as a backup if the main C&C server communication route fails.
The ‘x_mode’ command is disabled by default but when it is enabled through the DNS tunneling channel which is the main communication with the C&C server.
Once activated, it allows RogueRobin to receive a unique identifier, which is also known as a list of settings stored in the variables set and these values allows to exchange information like URL for downloading, updating files, uploading, and the authentication details through Google Drive.
As it is a malicious program and the longer it stays on a computer, the more it weakens the firewall of the system and making way for other malware.
However, since you are on this page, you are already a step ahead and as the article advances, you will come to know how to remove DarkHydrus Malware before it causes more harm to your PC.
Is DarkHydrus a virus?
DarkHydrus is a malicious hackers group, infecting victim’s computers with the new variant of RogueRobin Trojan.
DarkHydrus trojan virus is a high-risk infection which is intended to cause damage, disrupt, steal, downloading or installing new versions of malicious programs or in general impose some other harmful action on your data or network.
This is extremely malicious software designed to alter the default settings of your web browser and further, these changes are permanent and resetting the browser will not get you back to the original settings.
Furthermore, it allows hackers to remotely access the user’s system and run malicious codes in the Windows OS. Also, make entries in the Windows registry files to stay concealed from the regular antivirus program and user.
These malicious programs quickly spread through spam emails, peer-to-peer file sharing, social clickjacking, and also delivers malicious junk attachments and infected Microsoft Excel documents to infiltrate the security-vulnerable system.
Thus, every documents and file that you open or download to your PC should be scanned for infections before opening - even if you think it is from a credible source.
Symptoms of a compromised system
DarkHydrus trojan virus is not a stand-alone infection, and it brings other malware threats by exploiting the security loopholes. Hence, you will face various online as well as offline performance issues simultaneously.
- It consumes high CPU resource and lowers down your overall PC performance.
- It installs a malicious browser extension to display pop-ups ads and annoying notifications.
- It allows hackers to gain access to your system and steal important personal data and documents for their malicious purpose.
- It adds corrupt entries to Windows registry editor and damages your system files that are crucial for smooth and proper PC functioning of your PC.
Uninstall DarkHydrus trojan virus and suspicious malicious programs
- Press Ctrl + Shift + ESC together to open Task Manager. Look for suspicious files, right click on it and click End Task.
- Now, press Windows key + R to open RUN box window. Type appwiz.cpl on it, this opens Programs and Features window.
- Select each suspicious program and uninstall it one by one. Once the uninstallation is complete, restart your computer and again redirect yourself to Programs and Features window to check whether the application is present or not.
Nowadays, cyber attackers or group of hackers like DarkHydrus have learned to make their malware more adaptable, resilient and more damaging. Common antivirus software cannot protect you from all cyber threats at the same time.
Though, we need to comprehensively upgrade our cyber defense systems and processes to more effectively guard against cybersecurity risks, as well as to respond in a timely and robust manner to prevent any intrusion in the future.
Note* - We recommend ITL Total Security and Malware crusher, among the best reputed anti-malware software which will help you to block Trojan, viruses, adware and other malware on your PC.
It consists of several features to protect your system from damage and keep you safe always. They are fully loaded with certain useful features like Real-Time Protection, Web Protection, Live updates, and many more.
Tips to Prevent virus and malware from Infecting Your System:
- Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for Chrome, Mozilla, and IE
- Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
- Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
- Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
- Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool