RogueRobin Trojan

The RogueRobin Trojan is a backdoor Trojan that can grant remote attackers control over your PC. A backdoor Trojan may be the instigator in attacks that block your files by encrypting them, collect information, hijack your hardware for mining cryptocurrencies, or erase data automatically. Users finding themselves compromised should have appropriate anti-malware tools delete the RogueRobin Trojan immediately before taking all due precautions for restoring security, such as changing all passwords.

The Rogue Held Up in a Meerkat's Paws

The group of threat actors identifiable as either Lazy Meerkat or the more ominous DarkHydrus is setting up a new campaign in 2019, with networks in the Middle East being the targets. The victims are likely consisting of various government, NGO or business employees opening corrupted e-mail attachments, which is a hallmark strategy of this group. The consequence is the dropping of the RogueRobin Trojan, which opens a backdoor into the system.

The RogueRobin Trojan is a high-level threat with two means of enacting C&C communications: a DNS tunnel (which may explain why an internal path in the program references a 'DNSProject'), which is the preferred method. If it fails, and a remotely-issued command enables the backup contact feature, the RogueRobin Trojan can transfer data via Google Drive under the name of 'x_mode.' The contents of the C&C communications is standard for a backdoor Trojan and includes what malware experts would classify as generically exploitable information, such as system statistics like the version of Windows.

Other features of the RogueRobin Trojan include techniques for avoiding sandbox environments (which are commonplace in threat analysis machines) and anti-debugging features, which make it clear that DarkHydrus doesn't want this threat analyzed by the cyber-security industry. While malware researchers can't verify any attacks outside of the Middle East, the RogueRobin Trojan has no details limiting its payload to that region, alone.

Preventing Your Network from Getting Round-Robined

The RogueRobin Trojan's threat actors are consistent in their abuse of e-mail tactics for tricking the victims into compromising their PCs. Typical attacks may use corrupted macros for the Microsoft's Word program, as well as attachments phishing for the user's login credentials. The text content is, in most cases, tailored to the target, and can include references to the victim's organization or implications of the document being a financial notice.

Security updates are very pertinent to the above infection strategies, which may use patchable vulnerabilities like the remote code execution exploit of CVE-2018-8414. Modern versions of Word, also, shouldn't enable macros by default and require the user's intervention for the initiating of the backdoor Trojan's installation routine. Since this threat is a professionally-coded program that represents an enormous security risk, malware experts can only endorse uninstalling the RogueRobin Trojan through appropriate intervention by a proven brand of anti-malware software.

The RogueRobin Trojan offers the hijacking of cloud storage services, analysis prevention, command-line exploits, and other features that are of use to criminals compromising politically-valuable Windows computers. However, it also requires the user's enabling a threatening document, one way or another, which makes its campaign's reach up to those whom it assaults entirely.