Skip to content

S0270 RogueRobin

RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#. 12

Item Value
ID S0270
Associated Names
Version 2.2
Created 17 October 2018
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder RogueRobin created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.1
enterprise T1547.009 Shortcut Modification RogueRobin establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell RogueRobin uses a command prompt to run a PowerShell script from Excel.1 To assist in establishing persistence, RogueRobin creates %APPDATA%\OneDrive.bat and saves the following string to it:powershell.exe -WindowStyle Hidden -exec bypass -File “%APPDATA%\OneDrive.ps1”.21
enterprise T1059.003 Windows Command Shell RogueRobin uses Windows Script Components.21
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding RogueRobin base64 encodes strings that are sent to the C2 over its DNS tunnel.1
enterprise T1140 Deobfuscate/Decode Files or Information RogueRobin decodes an embedded executable using base64 and decompresses it.2
enterprise T1105 Ingress Tool Transfer RogueRobin can save a new file to the system from the C2 server.12
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation The PowerShell script with the RogueRobin payload was obfuscated using the COMPRESS technique in Invoke-Obfuscation.13
enterprise T1057 Process Discovery RogueRobin checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals.1
enterprise T1113 Screen Capture RogueRobin has a command named $screenshot that may be responsible for taking screenshots of the victim machine.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery RogueRobin enumerates running processes to search for Wireshark and Windows Sysinternals suite.12
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 RogueRobin uses regsvr32.exe to run a .sct file for execution.2
enterprise T1082 System Information Discovery RogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.1
enterprise T1016 System Network Configuration Discovery RogueRobin gathers the IP address and domain from the victim’s machine.1
enterprise T1033 System Owner/User Discovery RogueRobin collects the victim’s username and whether that user is an admin.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks RogueRobin uses WMI to check BIOS version for VBOX, bochs, qemu, virtualbox, and vm to check for evidence that the script might be executing within an analysis environment. 12
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication RogueRobin has used Google Drive as a Command and Control channel. 2
enterprise T1047 Windows Management Instrumentation RogueRobin uses various WMI queries to check if the sample is running in a sandbox.12

Groups That Use This Software

ID Name References
G0079 DarkHydrus 12