RogueRobin

RogueRobin is a custom PowerShell-based payload used by DarkHydrus. [1]

ID: S0270
Aliases: RogueRobin
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
RogueRobin[1]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceRogueRobin uses a command prompt to run a PowerShell script from Excel.[1]
EnterpriseT1094Custom Command and Control ProtocolRogueRobin uses a custom DNS tunneling protocol for C2.[1]
EnterpriseT1001Data ObfuscationRogueRobin base64 encodes strings that are sent to the C2 over its DNS tunnel.[1]
EnterpriseT1027Obfuscated Files or InformationThe PowerShell script with the RogueRobin payload was obfuscated using the COMPRESS technique in Invoke-Obfuscation.[1][2]
EnterpriseT1086PowerShellRogueRobin uses PowerShell for execution.[1]
EnterpriseT1057Process DiscoveryRogueRobin checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals.[1]
EnterpriseT1060Registry Run Keys / Startup FolderRogueRobin created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.[1]
EnterpriseT1105Remote File CopyRogueRobin can download files from the C2 server to the victim’s machine.[1]
EnterpriseT1113Screen CaptureRogueRobin has a command named $screenshot that may be responsible for taking screenshots of the victim machine.[1]
EnterpriseT1064ScriptingTo assist in establishing persistence, RogueRobin creates %APPDATA%\OneDrive.bat and saves the following string to it:powershell.exe -WindowStyle Hidden -exec bypass -File “%APPDATA%\OneDrive.ps1”.[1]
EnterpriseT1063Security Software DiscoveryRogueRobin enumerates running processes to search for Wireshark and Windows Sysinternals suite.[1]
EnterpriseT1023Shortcut ModificationRogueRobin establishes persistence by creating a shortcut in the Windows startup folder to run a script each time the user logs in.[1]
EnterpriseT1082System Information DiscoveryRogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.[1]
EnterpriseT1016System Network Configuration DiscoveryRogueRobin gathers the IP address and domain from the victim’s machine.[1]
EnterpriseT1033System Owner/User DiscoveryRogueRobin collects the victim’s username and whether that user is an admin.[1]
EnterpriseT1047Windows Management InstrumentationRogueRobin uses various WMI queries to check if the sample is running in a sandbox.[1]

Groups

Groups that use this software:

DarkHydrus

References