DarkHydrus uses the open source tool Phishery to launch phishing attacks in the Middle East

Last week, Unit 42 released information about a new threat organization called DarkHydrus, and the researchers observed that the organization’s goal was to be a government entity in the Middle East. The attacks previously discussed by Unit 42 include the use of spear phishing to provide a PowerShell payload called RogueRobin.

However, DarkHydrus conducted a voucher acquisition attack in June 2018. It appears that the activities of DarkHydrus are also underway, and there is evidence that previous attempts to obtain credentials for the same infrastructure can be traced back to the fall of 2017. These attacks target governments and educational institutions in the Middle East.

Credential acquisition attacks use spear-phishing emails containing malicious Microsoft Office documents containing malicious Microsoft Office documents that use the “attachTemplate” technology to load templates from remote servers. When attempting to load this remote template, Microsoft Office will display an authentication dialog asking the user to provide login credentials. Once entered, these credentials will be sent to the C2 server, which allows DarkHydrus to collect user account credentials.

Based on the technical analysis of Unit 42, DarkHydrus created two Word documents for these credential collection attacks using the open source Phishery tool. This further demonstrates the open source use of DarkHydrus’s attack tools.

In fact, such phishing attacks are not new: US-CERT warned in 2017 that different threat organizations used the same technology in their attacks. It’s worth noting that DarkHydrus uses open source tools to target these entities, which is consistent with their dependence on open source tools. The researchers speculated that the organization would continue to attack such targets in the Middle East shortly.

Source, Image: paloaltonetworks