DarkHydrus

DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. ^[1] ^[2]

ID: G0079

Aliases: DarkHydrus

Version: 1.0

Alias Descriptions

Name	Description
DarkHydrus	^[1]

Techniques Used

Domain	ID	Name	Use
Enterprise	T1187	Forced Authentication	DarkHydrus used Template Injection to launch an authentication window for users to enter their credentials.^[3]
Enterprise	T1086	PowerShell	DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.^[1]^[2]
Enterprise	T1193	Spearphishing Attachment	DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the “attachedTemplate” technique to load a template from a remote server.^[1]^[3]^[2]
Enterprise	T1221	Template Injection	DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication.^[3]
Enterprise	T1204	User Execution	DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.^[1]^[2]

Software

ID	Name	Techniques
S0154	Cobalt Strike	Access Token Manipulation, BITS Jobs, Bypass User Account Control, Command-Line Interface, Commonly Used Port, Connection Proxy, Credential Dumping, Custom Command and Control Protocol, Data from Local System, Distributed Component Object Model, Execution through API, Exploitation for Privilege Escalation, Indicator Removal from Tools, Input Capture, Man in the Browser, Multiband Communication, Network Service Scanning, Network Share Discovery, New Service, Pass the Hash, PowerShell, Process Discovery, Process Hollowing, Process Injection, Remote Desktop Protocol, Remote Services, Remote System Discovery, Scheduled Transfer, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Timestomp, Valid Accounts, Windows Admin Shares, Windows Management Instrumentation, Windows Remote Management
S0002	Mimikatz	Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0270	RogueRobin	Command-Line Interface, Custom Command and Control Protocol, Data Obfuscation, Obfuscated Files or Information, PowerShell, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Screen Capture, Scripting, Security Software Discovery, Shortcut Modification, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Windows Management Instrumentation

References

Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.

Falcone, R. (2018, August 07). DarkHydrus Uses Phishery to Harvest Credentials in the Middle East. Retrieved August 10, 2018.