RogueRobin

RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#. [1][2]

ID: S0270
Type: MALWARE
Platforms: Windows

Version: 2.0

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceRogueRobin uses a command prompt to run a PowerShell script from Excel.[1]
EnterpriseT1094Custom Command and Control ProtocolRogueRobin uses a custom DNS tunneling protocol for C2.[1][2]
EnterpriseT1001Data ObfuscationRogueRobin base64 encodes strings that are sent to the C2 over its DNS tunnel.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationRogueRobin decodes an embedded executable using base64 and decompresses it.[2]
EnterpriseT1027Obfuscated Files or InformationThe PowerShell script with the RogueRobin payload was obfuscated using the COMPRESS technique in Invoke-Obfuscation.[1][3]
EnterpriseT1086PowerShellRogueRobin uses PowerShell for execution.[1][2]
EnterpriseT1057Process DiscoveryRogueRobin checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals.[1]
EnterpriseT1060Registry Run Keys / Startup FolderRogueRobin created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.[1]
EnterpriseT1117Regsvr32RogueRobin uses regsvr32.exe to run a .sct file for execution.[2]
EnterpriseT1105Remote File CopyRogueRobin can save a new file to the system from the C2 server.[1][2]
EnterpriseT1113Screen CaptureRogueRobin has a command named $screenshot that may be responsible for taking screenshots of the victim machine.[1]
EnterpriseT1064ScriptingTo assist in establishing persistence, RogueRobin creates %APPDATA%\OneDrive.bat and saves the following string to it:powershell.exe -WindowStyle Hidden -exec bypass -File “%APPDATA%\OneDrive.ps1”. RogueRobin also uses Windows Script Components.[2][1]
EnterpriseT1063Security Software DiscoveryRogueRobin enumerates running processes to search for Wireshark and Windows Sysinternals suite.[1][2]
EnterpriseT1023Shortcut ModificationRogueRobin establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in.[1][2]
EnterpriseT1082System Information DiscoveryRogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.[1]
EnterpriseT1016System Network Configuration DiscoveryRogueRobin gathers the IP address and domain from the victim’s machine.[1]
EnterpriseT1033System Owner/User DiscoveryRogueRobin collects the victim’s username and whether that user is an admin.[1]
EnterpriseT1497Virtualization/Sandbox EvasionRogueRobin uses WMI to check BIOS version for VBOX, bochs, qemu, virtualbox, and vm to check for evidence that the script might be executing within an analysis environment.[1][2]
EnterpriseT1102Web ServiceRogueRobin has used Google Drive as a Command and Control channel.[2]
EnterpriseT1047Windows Management InstrumentationRogueRobin uses various WMI queries to check if the sample is running in a sandbox.[1][2]

Groups

Groups that use this software:

DarkHydrus

References