New malware uses Google Drive as a command-and-control server
In fact, most security tools will collect information related to network traffic to detect malicious IP addresses.Capturing this rule, attackers are increasingly applying more legal services infrastructure into their attacks to conceal malicious activities on cyberspace.
Network security researchers have now discovered a new malware attack campaign linked to the notorious APH DarkHydrus group, which uses Google Drive as a command and control server (command- and-control server - C2).
- MySQL vulnerabilities allow malicious servers to steal data from customers
The DarkHydrus APT group first came to light in August last year when it was discovered that it is using open source Phishery tools to implement data collection campaigns against entities, agencies and organizations. government and education institutions in the Middle East.
According to a report published by 360 Security Intelligence Center (360TIC) and Palo Alto Networks, the latest malware attack campaign performed by the DarkTydrus APT team was also discovered to be an attack against goals in the Middle East.This time, attackers used a new Trojan variant they created, called RogueRobin.This malicious code is capable of infecting a victim's computer by tricking them into opening a Microsoft Excel document containing the embedded VBA macro, instead of exploiting any Windows zero-day vulnerabilities as usual.
Enabling macros will remove a malicious text file (.txt) in the temporary directory and then make use of the legal 'personas.exe' application to run it, eventually installing the RogueRobin backlink written in the language. C # programming language on compromised systems.
According to Palo Alto researchers, RogueRobin comes with many stealth functions to avoid checking whether it is implemented in the sandbox environment, including checking the virtualization environment and memory. , the number of popular processors and analytics tools running on the system.In addition, it also contains anti-debug code.
Like the original version, the new variant of RogueRobin also uses DNS tunneling (DNS tunneling) - a technique for sending or retrieving data and commands through DNS query packets, to communicate with the command-and-server. -control its server.
- Malware and user security bugs are found in top free VPN applications
However, the researchers also discovered that besides DNS tunneling, the malware was also designed to use the Google Drive API as an alternative channel to send data and receive commands from attackers.
"RogueRobin will upload a file to your Google Drive account and continuously check the file modification time to see if the victim has made any changes. The attacker will first modify the file to attach a code. The only identifier the Trojan will use to communicate in the future, 'Palo Alto experts say.
The new malware campaign shows that APT hacker groups are now moving more toward abuse of legitimate services for their command and control infrastructure to evade detection. of security tools.
Also note that because the VBA macro is a legitimate feature, most antivirus solutions will not flag any alerts or block any MS Office documents that come with the VBA code.
The best way to protect yourself from these new malware attacks is to never let your guard down against heavy documents, many of which are emailed, as well as not. ever allowed to click on any link within those documents, unless the source is verified.
See more:
- Microsoft shook hands with VirusTotal in resolving malicious code issues that affected MSI files
- 14 games on the App Store contain malicious code, iPhone users be careful
- Windows Sandbox, a new feature in Windows 10 that helps create virtual machines for testing suspicious software
- Warning: New extortion code GandCrab is attacking Vietnamese Internet users
You should read it
- GOTO command in SQL Server
- The cacls command in Windows
- Malware stored in Google Sites sends data to the MySQL server
- What is Safe Malware? Why is it so dangerous?
- Clean command in Windows
- Sneaking malware on the Internet
- Instructions to change IP address from Command Prompt
- Security researcher identified Sharpshooter spy attacks related to the Korean hacker group
May be interested
- Security researcher identified Sharpshooter spy attacks related to the Korean hacker groupthe finding comes through new evidence collected by researchers after analyzing a command and control server (command-and-control server - c2).
- Instructions to change IP address from Command Promptto change the ip address on the computer is not difficult, you can use control panel. however, you may not know that using command prompt can also change the ip address. especially using the command prompt to change the ip address is much faster than using control panel.
- CASE function in SQL Server (part 1)in sql server, the case function verifies the value based on the list of given conditions, then returns one or more results. in this article we will illustrate a number of different uses of this function in different situations.
- The sfc command in Windows(applies to windows server (semi-annual channel), windows server 2016, windows server 2012 r2, windows server 2012)
- CASE statement in SQL Serverthis article will show you in detail how to use the case statement handling function in sql server with specific syntax and examples to better visualize and capture functions.
- Support tools for using documents from Google Drivethe tools in this article will help you use the data in google drive in a convenient and effective way at work.
- What is Safe Malware? Why is it so dangerous?remote access trojan (rat) is a type of malware that allows hackers to monitor and control the victim's computer or network.
- BREAK (Control Interrupt) command in SQL Serverthe break command used to exit the loop does not specify a stop condition or you want to stop the loop on condition that you specify and execute the statements following the loop statement end.
- Sneaking malware on the Internetmalware, the common name for annoying malware such as adware, spyware (trojans, spyware), dangerous codes that control and control remote computers for bad purposes (computer is taken and
- SELECT TOP command in SQL Serverin sql server, the select top command is used to retrieve records from one or more tables in sql server and limit the number of return records based on a fixed value or percentage.