RogueRobin

RogueRobin is a malicious software (malware) that was originally identified as a PowerShell-based payload associated with the DarkHydrus cybercriminal group. Our initial analysis unveiled its stealthy infiltration capabilities, often entering systems through suspicious downloads, emails, or websites without the user's awareness. Once inside, it could potentially steal personal information, disrupt operations, or hold data hostage for ransom. The malware was found to issue DNS requests to resolve custom crafted subdomains of its Command and Control (C2) domains using various query types, demonstrating its sophisticated communication methods. In a subsequent investigation, we discovered that DarkHydrus had developed a new variant of RogueRobin. This version, written in C#, showed functional similarities to the original PowerShell payload, suggesting that the group had ported their code to a compiled variant. This new variant also attempted to detect if it was operating in a sandbox environment using the same commands as the original version, indicating an advanced evasion technique. We collected three DarkHydrus delivery documents installing this new variant, which further confirmed our findings. Interestingly, the new variant of RogueRobin demonstrated the capability to use Google Drive as its C2 channel. This suggests a strategic shift by DarkHydrus towards exploiting legitimate cloud services for their infrastructure, a concerning development given the widespread use of such services. This behavior mirrors trends observed with other adversary groups in the Middle East, such as OilRig, who have also transitioned their previous PowerShell-based code to executable variants. As such, users are urged to exercise caution when interacting with unfamiliar files or links, even those seemingly originating from trusted sources like Google Drive.