DarkHydrus

DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. [1] [2]

ID: G0079
Contributors: Oleg Skulkin, Group-IB
Version: 1.3
Created: 17 October 2018
Last Modified: 12 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.[1][2]

Enterprise T1187 Forced Authentication

DarkHydrus used Template Injection to launch an authentication window for users to enter their credentials.[3]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

DarkHydrus has used -WindowStyle Hidden to conceal PowerShell windows. [1]

Enterprise T1588 .002 Obtain Capabilities: Tool

DarkHydrus has obtained and used tools such as Mimikatz, Empire, and Cobalt Strike.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the "attachedTemplate" technique to load a template from a remote server.[1][3][2]

Enterprise T1221 Template Injection

DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication.[3]

Enterprise T1204 .002 User Execution: Malicious File

DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.[1][2]

Software

ID Name References Techniques
S0154 Cobalt Strike [1][2] Abuse Elevation Control Mechanism: Bypass User Account Control, Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: JavaScript, Commonly Used Port, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection, Process Injection: Process Hollowing, Process Injection: Dynamic-link Library Injection, Protocol Tunneling, Proxy: Internal Proxy, Proxy: Domain Fronting, Query Registry, Reflective Code Loading, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Signed Binary Proxy Execution: Rundll32, Software Discovery, Subvert Trust Controls: Code Signing, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0002 Mimikatz [1][2] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0270 RogueRobin [1][4] Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Obfuscated Files or Information, Process Discovery, Screen Capture, Signed Binary Proxy Execution: Regsvr32, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Virtualization/Sandbox Evasion: System Checks, Web Service: Bidirectional Communication, Windows Management Instrumentation

References