S0270 RogueRobin
RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#. 12
| Item | Value |
|---|---|
| ID | S0270 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.2 |
| Created | 17 October 2018 |
| Last Modified | 22 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | RogueRobin created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.1 |
| enterprise | T1547.009 | Shortcut Modification | RogueRobin establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | RogueRobin uses a command prompt to run a PowerShell script from Excel.1 To assist in establishing persistence, RogueRobin creates %APPDATA%\OneDrive.bat and saves the following string to it:powershell.exe -WindowStyle Hidden -exec bypass -File “%APPDATA%\OneDrive.ps1”.21 |
| enterprise | T1059.003 | Windows Command Shell | RogueRobin uses Windows Script Components.21 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | RogueRobin base64 encodes strings that are sent to the C2 over its DNS tunnel.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | RogueRobin decodes an embedded executable using base64 and decompresses it.2 |
| enterprise | T1105 | Ingress Tool Transfer | RogueRobin can save a new file to the system from the C2 server.12 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.010 | Command Obfuscation | The PowerShell script with the RogueRobin payload was obfuscated using the COMPRESS technique in Invoke-Obfuscation.13 |
| enterprise | T1057 | Process Discovery | RogueRobin checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals.1 |
| enterprise | T1113 | Screen Capture | RogueRobin has a command named $screenshot that may be responsible for taking screenshots of the victim machine.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | RogueRobin enumerates running processes to search for Wireshark and Windows Sysinternals suite.12 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.010 | Regsvr32 | RogueRobin uses regsvr32.exe to run a .sct file for execution.2 |
| enterprise | T1082 | System Information Discovery | RogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.1 |
| enterprise | T1016 | System Network Configuration Discovery | RogueRobin gathers the IP address and domain from the victim’s machine.1 |
| enterprise | T1033 | System Owner/User Discovery | RogueRobin collects the victim’s username and whether that user is an admin.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | RogueRobin uses WMI to check BIOS version for VBOX, bochs, qemu, virtualbox, and vm to check for evidence that the script might be executing within an analysis environment. 12 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | RogueRobin has used Google Drive as a Command and Control channel. 2 |
| enterprise | T1047 | Windows Management Instrumentation | RogueRobin uses various WMI queries to check if the sample is running in a sandbox.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0079 | DarkHydrus | 12 |
References
-
Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017. ↩