GROUPS
  1. Home
  2. Groups
  3. DarkHydrus

DarkHydrus

DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. [1] [2]

ID: G0079
Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1187Forced AuthenticationDarkHydrus used Template Injection to launch an authentication window for users to enter their credentials.[3]
EnterpriseT1086PowerShellDarkHydrus leveraged PowerShell to download and execute additional scripts for execution.[1][2]
EnterpriseT1193Spearphishing AttachmentDarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the “attachedTemplate” technique to load a template from a remote server.[1][3][2]
EnterpriseT1221Template InjectionDarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication.[3]
EnterpriseT1204User ExecutionDarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.[1][2]

Software

IDNameReferencesTechniques
S0154Cobalt Strike[1][2]Access Token Manipulation, BITS Jobs, Bypass User Account Control, Command-Line Interface, Commonly Used Port, Connection Proxy, Credential Dumping, Custom Command and Control Protocol, Data from Local System, Distributed Component Object Model, Execution through API, Exploitation for Privilege Escalation, Indicator Removal from Tools, Input Capture, Man in the Browser, Multiband Communication, Network Service Scanning, Network Share Discovery, New Service, Pass the Hash, PowerShell, Process Discovery, Process Hollowing, Process Injection, Remote Desktop Protocol, Remote Services, Remote System Discovery, Scheduled Transfer, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Timestomp, Valid Accounts, Windows Admin Shares, Windows Management Instrumentation, Windows Remote Management
S0002Mimikatz[1][2]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0270RogueRobin[1][4]Command-Line Interface, Custom Command and Control Protocol, Data Obfuscation, Deobfuscate/Decode Files or Information, Obfuscated Files or Information, PowerShell, Process Discovery, Registry Run Keys / Startup Folder, Regsvr32, Remote File Copy, Screen Capture, Scripting, Security Software Discovery, Shortcut Modification, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Virtualization/Sandbox Evasion, Web Service, Windows Management Instrumentation

References

  1. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  2. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  1. Falcone, R. (2018, August 07). DarkHydrus Uses Phishery to Harvest Credentials in the Middle East. Retrieved August 10, 2018.
  2. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.