A new threat group dubbed DarkHydrus has targeted at least one government in the agency Middle East.
Between July 15-16, Palo Alto Network's Unit 42 researchers spotted the group using spear-phishing emails written in Arabic, to targeted organizations with password protected RAR archive attachments containing malicious Excel Web Query files or “.igy” files, according to a July 27 blog post.
“The .iqy files take advantage of Excel's willingness to download and include the content from a remote server in a spreadsheet,” researchers said in the post. “DarkHydrus leveraged this obscure file format to run a command to ultimately install a PowerShell scripts to gain backdoor access to the system.”
Researchers dubbed the custom PowerShell based payload, RogueRobin, and said it's possible the group pieced together the tool using code from legitimate open source tools.
The threat actors appear to have been active since 2016 as their most recent attacks has diverged from previous attacks witnessed by the researchers.