The recently discovered DarkHydrus threat group is now using the open-source Phishery tool to harvest credentials from an educational institution in the Middle East.
On June 24, researchers from Palo Alto's Unit 42 division observed the threat group carrying out an attack using a spear phishing email with the subject line reading “Project Offer” and a malicious word attachment, according to an Aug. 7, 2018 company blog post.
Not long before this, the group had been spotted targeting at least one government agency using spear phishing emails, with the goal of gaining backdoor access to its systems.
"The credential harvesting attacks used spear phishing emails that contained malicious Microsoft Office documents that leveraged the 'attachedTemplate' technique to load a template from a remote server," researchers said in the post. "When attempting to load this remote template, Microsoft Office will display an authentication dialog box to ask the user to provide login credentials."
Researchers said the group is using the Phishery tool to create two of the known Word documents used in the attacks and noted that the use of open-source tools to carry out target attacks in the Middle East is in line with previous attacks carried out by the group. Unit 42 said that Phishery is capable of creating malicious Word docs via injection of a remote template URL, and also "hosting a C2 server to gather credentials entered into authentication dialog boxes displayed when attempting to obtain the remote template."