1. Home
  2. Software
  3. RogueRobin

RogueRobin

RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#. [1][2]

ID: S0270
Type: MALWARE
Platforms: Windows
Version: 2.2
Created: 17 October 2018
Last Modified: 22 March 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

RogueRobin uses various WMI queries to check if the sample is running in a sandbox.[1][2]
Enterprise T1140 反混淆/解码文件或信息

RogueRobin decodes an embedded executable using base64 and decompresses it.[2]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

RogueRobin created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.[1]
.009 启动或登录自动启动执行: Shortcut Modification

RogueRobin establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in.[1][2]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

RogueRobin uses a command prompt to run a PowerShell script from Excel.[1] To assist in establishing persistence, RogueRobin creates %APPDATA%\OneDrive.bat and saves the following string to it:powershell.exe -WindowStyle Hidden -exec bypass -File "%APPDATA%\OneDrive.ps1".[2][1]
.003 命令与脚本解释器: Windows Command Shell

RogueRobin uses Windows Script Components.[2][1]
Enterprise T1113 屏幕捕获

RogueRobin has a command named $screenshot that may be responsible for taking screenshots of the victim machine.[1]
Enterprise T1132 .001 数据编码: Standard Encoding

RogueRobin base64 encodes strings that are sent to the C2 over its DNS tunnel.[1]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

The PowerShell script with the RogueRobin payload was obfuscated using the COMPRESS technique in Invoke-Obfuscation.[1][3]
Enterprise T1218 .010 系统二进制代理执行: Regsvr32

RogueRobin uses regsvr32.exe to run a .sct file for execution.[2]
Enterprise T1082 系统信息发现

RogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.[1]
Enterprise T1033 系统所有者/用户发现

RogueRobin collects the victim’s username and whether that user is an admin.[1]
Enterprise T1016 系统网络配置发现

RogueRobin gathers the IP address and domain from the victim’s machine.[1]
Enterprise T1102 .002 网络服务: Bidirectional Communication

RogueRobin has used Google Drive as a Command and Control channel. [2]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

RogueRobin uses WMI to check BIOS version for VBOX, bochs, qemu, virtualbox, and vm to check for evidence that the script might be executing within an analysis environment. [1][2]
Enterprise T1518 .001 软件发现: Security Software Discovery

RogueRobin enumerates running processes to search for Wireshark and Windows Sysinternals suite.[1][2]
Enterprise T1105 输入工具传输

RogueRobin can save a new file to the system from the C2 server.[1][2]
Enterprise T1057 进程发现

RogueRobin checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals.[1]

Groups That Use This Software

ID Name References
G0079 DarkHydrus

[1][2]

References

  1. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  2. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  1. Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.