Government entities and educational institutions in the Middle East are under attack in an ongoing credential-harvesting campaign, mounted by a newly-named threat group known as DarkHydrus. In a twist on the norm, the group is leveraging the open-source Phishery tool to carry out its dark work.
The attacks follow a well-worn pattern, according to Palo Alto Networks’ Unit 42 group: Spear-phishing emails with attached malicious Microsoft Office documents are leveraging the “attachedTemplate” technique to load a template from a remote server.
“When attempting to load this remote template, Microsoft Office will display an authentication dialog box to ask the user to provide log-in credentials,” the researchers explained in a posting this week. “When entered, these credentials are then sent to the C2 server, which allows DarkHydrus to collect the user account credentials.”
So far, that’s not a new approach — US-CERT warned of the same technique by a different threat group in 2017. What’s different about this effort is DarkHydrus’ use of the open-source Phishery tool to create two of the known Word documents used in the attacks – and the fact that the group seems to be highly active even though it has only recently been uncovered.
The Phishery tool is capable of creating malicious Word documents by injecting a remote template URL; it also hosts a C2 server to gather the credentials entered into the authentication dialog boxes. In other words, it’s a turn-key solution for these kinds of attacks – and, thanks to this campaign, has been shown to be effective in real-world offensives.
Unite 42 researchers tried the tool out themselves to verify that it’s enabling the campaign.
“We were able to replicate the remote template path using Phishery to create a weaponized delivery document,” Unit 42 researchers noted. “To confirm, we used Phishery’s C2 server and opened DarkHydrus’ Word document from the June 2018 attacks. When presented with the authentication dialog box, we entered ‘fakename’ and ‘fakepass’ as credentials and pressed enter.”
On the C2 server, they observed Phishery receiving the inbound request and capturing the credentials.
Also, Unit 42 last week uncovered a different spear-phishing attack on Middle Eastern government entities, this time used to deliver a PowerShell payload that the firm dubbed RogueRobin. The campaign uses Excel Web Query files – a novel method that Threatpost has previously detailed. Unit 42 attributed this effort to DarkHydrus as well, based on domain infrastructure analysis. It turns out that RogueRobin – a custom script that backdoors targeted machines – appears to be cobbled together from open-source code snippets – for instance, it uses the open-source Invoke-Obfuscation tool to obfuscate the PowerShell script.
Thus, there appears to be a pattern: “The use of Phishery further shows Dark Hydrus’ reliance on open-source tools to conduct their operations,” researchers noted.
Starting June 24, Unit 42 began seeing suspicious emails arriving in targets’ in-boxes, with the subject line of “Project Offer.”
When users click open the attachments, they’re confronted by an empty document obscured by a dialog box asking for credentials. After users fill in the authentication details, the Word document remains—but it’s still empty.
“While this document was empty, the authentication prompt may have made the targeted user more likely to enter their credentials, thinking it’s necessary to view the contents of the document,” Unit 42 researchers said.
In another attempt at looking legit, the subdomain name cited in the dialog box is a domain of the targeted entity, and it makes use of known Outlook behavior.
“Also, the 0utl00k[.]net domain resembles Microsoft’s legitimate ‘outlook.com’ domain that provides free email services, which also make the user less suspicious and more likely to enter their credentials,” Unite 42 researchers explained. “Some users may not even notice what domain the dialog states they are connecting to and habitually type their Windows credentials.”
Interestingly, related Word documents were also observed being used in phishing campaigns back in September and November 2017. Unlike the empty June 2018 document, both of these displayed pertinent information to the targeted organization, such as an employee survey. The infrastructure used in those credential-harvesting attacks resolved to the same IP address used by DarkHydrus in the attacks that started in June, further linking the activity together as being carried out by the same threat actor.
All of this “suggests that DarkHydrus has been carrying out this credential harvesting campaign for almost a year,” the analysts noted.
DarkHydrus itself, while newly named, has been around in an organized and focused form for even longer, they added.
“Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016,” Unit 42 researchers noted.