RogueRobin

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
RogueRobin is a malicious software (malware) that was originally identified as a PowerShell-based payload associated with the DarkHydrus cybercriminal group. Our initial analysis unveiled its stealthy infiltration capabilities, often entering systems through suspicious downloads, emails, or websites without the user's awareness. Once inside, it could potentially steal personal information, disrupt operations, or hold data hostage for ransom. The malware was found to issue DNS requests to resolve custom crafted subdomains of its Command and Control (C2) domains using various query types, demonstrating its sophisticated communication methods. In a subsequent investigation, we discovered that DarkHydrus had developed a new variant of RogueRobin. This version, written in C#, showed functional similarities to the original PowerShell payload, suggesting that the group had ported their code to a compiled variant. This new variant also attempted to detect if it was operating in a sandbox environment using the same commands as the original version, indicating an advanced evasion technique. We collected three DarkHydrus delivery documents installing this new variant, which further confirmed our findings. Interestingly, the new variant of RogueRobin demonstrated the capability to use Google Drive as its C2 channel. This suggests a strategic shift by DarkHydrus towards exploiting legitimate cloud services for their infrastructure, a concerning development given the widespread use of such services. This behavior mirrors trends observed with other adversary groups in the Middle East, such as OilRig, who have also transitioned their previous PowerShell-based code to executable variants. As such, users are urged to exercise caution when interacting with unfamiliar files or links, even those seemingly originating from trusted sources like Google Drive.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Google
Trojan
Payload
DNS
Sandbox
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OilRigUnspecified
1
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
DarkHydrusUnspecified
1
DarkHydrus is a notable threat actor known for executing malicious activities. The group has been associated with several well-known campaigns including DarkHydrus, OilRig, xHunt, SUNBURST, and Decoy Dog. These campaigns have leveraged DNS tunneling for Command and Control (C2) communications, a tec
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the RogueRobin Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
DarkHydrus delivers new Trojan that can use Google Drive for C2 communications