The sub-techniques beta is now live! Read the release blog post for more info.
GROUPS
GROUPS
A-B
C-D
E-F
G-H
I-J
No groups
K-L
M-N
O-P
Q-R
S-T
U-V
No groups
W-X
Y-Z
No groups
  1. Home
  2. Groups
  3. DarkHydrus

DarkHydrus

DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. [1] [2]

ID: G0079
Version: 1.1
Created: 17 October 2018
Last Modified: 11 October 2019
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1187 Forced Authentication

DarkHydrus used Template Injection to launch an authentication window for users to enter their credentials.[3]
Enterprise T1143 Hidden Window

DarkHydrus has used -WindowStyle Hidden to conceal PowerShell windows.[1]
Enterprise T1086 PowerShell

DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.[1][2]
Enterprise T1193 Spearphishing Attachment

DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the "attachedTemplate" technique to load a template from a remote server.[1][3][2]
Enterprise T1221 Template Injection

DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication.[3]
Enterprise T1204 User Execution

DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.[1][2]

Software

ID Name References Techniques
S0154 Cobalt Strike [1] [2] Access Token Manipulation, BITS Jobs, Bypass User Account Control, Command-Line Interface, Commonly Used Port, Component Object Model and Distributed COM, Connection Proxy, Credential Dumping, Custom Command and Control Protocol, Data from Local System, Execution through API, Exploitation for Privilege Escalation, Indicator Removal from Tools, Input Capture, Man in the Browser, Multiband Communication, Network Service Scanning, Network Share Discovery, New Service, Parent PID Spoofing, Pass the Hash, PowerShell, Process Discovery, Process Hollowing, Process Injection, Remote Desktop Protocol, Remote Services, Remote System Discovery, Scheduled Transfer, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Timestomp, Valid Accounts, Windows Admin Shares, Windows Management Instrumentation, Windows Remote Management
S0002 Mimikatz [1] [2] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0270 RogueRobin [1] [4] Command-Line Interface, Custom Command and Control Protocol, Data Obfuscation, Deobfuscate/Decode Files or Information, Obfuscated Files or Information, PowerShell, Process Discovery, Registry Run Keys / Startup Folder, Regsvr32, Remote File Copy, Screen Capture, Scripting, Security Software Discovery, Shortcut Modification, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Virtualization/Sandbox Evasion, Web Service, Windows Management Instrumentation

References

  1. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  2. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  1. Falcone, R. (2018, August 07). DarkHydrus Uses Phishery to Harvest Credentials in the Middle East. Retrieved August 10, 2018.
  2. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.