Into the Land of the Dark(hydrus)

Lokesh Janakiraman, Raja Babu Annamalai/K7 Computing

"Technology is, of course, a double edged sword." - Jason Silva

Very true; a fence protects, but at the same time can imprison the fenced. Cybersecurity is no exception. Almost every security researcher would have faced situations where legit open source tools/applications developed for routine activities have been put to “good use” by cybercriminals, especially in targeted attacks. Contextual generic detections of such modified tools help researchers piece together an attack during forensic examinations of incidents, allowing an insight into the adversary’s arsenal.

We recently analysed the attachment in one spear-phishing email with an intriguing title and content tantalizingly customized to reflect the current political and economic affairs in Vietnam, and even written in the target’s native tongue. Little did we realise that this would lead us to the online den of Darkhydrus, one of many, perhaps. It is a well-known group of threat actors which has been in operation since 2016, and has targeted government agencies and educational institutions in the Middle East for harvesting credentials. This recent campaign implies that they are still alive and seeking to expand their operations, eastwards it seems.

But even sophisticated threat actors can and do make grave errors. Our analysis suggests that this gang happened to stumble upon a vulnerable server and used it as part of their infrastructure to host/distribute their wares, without noticing that it had an open directory listing that allows the download of all files without any special requests or restrictions. And, of course, we did precisely that, without seeking their permission.

This talk will cover the end-to-end TTPs used in the kill chain used by Darkhydrus which includes building infrastructure using HttpWebServer 2.3 for hosting files, spear-phishing documents weaponized with macros and use of decoy documents, changes made to RougeRobin over time, low-level deconstruction (including anti-analysis techniques and obfuscation) of different avatars of modules delivering a Cobalt Strike Beacon, Malleable C2 and use of Google Drive for C2 communication to fly under the radar, use of the BadUsb project from GitHub in the credentialdumping phase (apart from Mimikatz), a DoublePulsar backdoor implant and other paraphernalia like downloader agents and scripts. We will also point out similarities in the techniques used by other threat actors to determine whether criminal synergies are at play.

November 8 at 14:30 - 15:00, Stage B

Lokesh Janakiraman: Lokesh Janakiraman graduated from Anna University Chennai with a bachelor`s degree in Computer Science Engineering. He started his career in 2016 as a Threat Researcher at K7 Computing`s Threat Control Lab. He is responsible for maintaining active detections of prevalent malware (generic/heuristic/behavioral methods) and handling client escalations. His dissection of various malware are detailed on K7 Threat Control Lab`s technical blog page. He likes staying in shape, touring on his motorcycle which he also likes to tinker and tweak in his garage.

Raja Babu Annamalai: Raja Babu Annamalai holds a Master’s degree in computer applications from the University of Madras. Starting his career in 2008 as a malware analyst at Comodo, he joined K7 Computing`s Threat Control Lab as a Threat Researcher in 2010 and is currently working as Research Team Lead. His primary responsibilities include in-depth malware analysis, developing automated systems and training new researchers. He has co-authored a paper for AVAR 2013 and presented at AVAR 2017 and AVAR 2018. In his free time he likes to watch movies, cook and spend time with his family.