1. Home
  2. Groups
  3. DarkHydrus

DarkHydrus

DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. [1] [2]

ID: G0079
Contributors: Oleg Skulkin, Group-IB
Version: 1.3
Created: 17 October 2018
Last Modified: 12 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 命令与脚本解释器: PowerShell

DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.[1][2]
Enterprise T1187 强制身份验证

DarkHydrus used Template Injection to launch an authentication window for users to enter their credentials.[3]
Enterprise T1221 模板注入

DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication.[3]
Enterprise T1204 .002 用户执行: Malicious File

DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.[1][2]
Enterprise T1588 .002 获取能力: Tool

DarkHydrus has obtained and used tools such as Mimikatz, Empire, and Cobalt Strike.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the "attachedTemplate" technique to load a template from a remote server.[1][3][2]
Enterprise T1564 .003 隐藏伪装: Hidden Window

DarkHydrus has used -WindowStyle Hidden to conceal PowerShell windows. [1]

Software

ID Name References Techniques
S0154 Cobalt Strike [1][2] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0002 Mimikatz [1][2] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0270 RogueRobin [1][4] Windows管理规范, 反混淆/解码文件或信息, 启动或登录自动启动执行: Shortcut Modification, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 屏幕捕获, 数据编码: Standard Encoding, 混淆文件或信息: Command Obfuscation, 系统二进制代理执行: Regsvr32, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 网络服务: Bidirectional Communication, 虚拟化/沙盒规避: System Checks, 软件发现: Security Software Discovery, 输入工具传输, 进程发现

References

  1. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  2. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  1. Falcone, R. (2018, August 07). DarkHydrus Uses Phishery to Harvest Credentials in the Middle East. Retrieved August 10, 2018.
  2. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.