Skip to content

G0079 DarkHydrus

DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. 1 2

Item Value
ID G0079
Associated Names
Version 1.3
Created 17 October 2018
Last Modified 12 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.12
enterprise T1187 Forced Authentication DarkHydrus used Template Injection to launch an authentication window for users to enter their credentials.3
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window DarkHydrus has used -WindowStyle Hidden to conceal PowerShell windows. 1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool DarkHydrus has obtained and used tools such as Mimikatz, Empire, and Cobalt Strike.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the “attachedTemplate” technique to load a template from a remote server.132
enterprise T1221 Template Injection DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication.3
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.12

Software

ID Name References Techniques
S0154 Cobalt Strike - Bypass User Account Control:Abuse Elevation Control Mechanism Sudo and Sudo Caching:Abuse Elevation Control Mechanism Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Domain Account:Account Discovery Application Layer Protocol DNS:Application Layer Protocol Web Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking Python:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Multiband Communication Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services Remote Desktop Protocol:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services SSH:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0002 Mimikatz - SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores LSA Secrets:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Rogue Domain Controller Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0270 RogueRobin - Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Ingress Tool Transfer Obfuscated Files or Information Process Discovery Screen Capture Security Software Discovery:Software Discovery Regsvr32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Checks:Virtualization/Sandbox Evasion Bidirectional Communication:Web Service Windows Management Instrumentation

References

  1. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. 

  2. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. 

  3. Falcone, R. (2018, August 07). DarkHydrus Uses Phishery to Harvest Credentials in the Middle East. Retrieved August 10, 2018. 

  4. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019. 

Back to top