DNSpionage campaign drops new .NET-based Karkoff malware to infect victims’ systems

• The malware is delivered via an Excel document that contains malicious macros.
• The spear phishing messages are sent to the specific targets chosen by the threat actor group.

Researchers at Cisco Talos detected a DNSpionage malware campaign in late 2018. It is believed that the same threat actor group has changed its tactics over time to improve the efficacy of its operations.

In April 2019, it has been found that the actors are using a new malware called ‘Karkoff’ to conduct DNSpionage campaigns.

What are the changes - According to the latest research by Cisco Talos, it has been discovered that the group has now created a new remote administration tool that supports HTTP and DNS communication.

In addition to this, the campaign also includes a new reconnaissance stage that enables the group to selectively choose its target. The actors are using a new .NET-based Karkoff malware designed to allow them to execute code remotely on compromised hosts.

How is the malware delivered - The malware is delivered via an Excel document that contains malicious macros. Here, the spear phishing messages are sent to the targets chosen by the group.

When the malicious macros are executed on an infected machine, it is renamed as ‘taskwin32.exe’ in order to avoid detection. Further, the name of the scheduled task designed to maintain persistence is also changed and renamed as ‘onedrive updated v10.12.5’.

The attackers have also improved the malware’s capability of hiding their activity by splitting API calls.

What are the activities of Karkoff malware - Karkoff first aims to drop a Windows batch file to execute WMI commands and obtain a list of machine’s running process. It then searches for antivirus products present on the machine before proceeding with the infection.

Once it customizes the action of the machine, the malware logs all the command it executes on the compromised systems by attaching timestamps.

“The executed commands are stored in this file (XORed with 'M') with a timestamp. This log file can be easily used to create a timeline of the command execution which can be extremely useful when responding to this type of threat. With this in mind, an organization compromised with this malware would have the opportunity to review the log file and identify the commands carried out against them,” the Cisco Talso researchers noted.

What’s the link - Researchers claim OilRig threat actor group is likely behind the DNSpionage campaign as well. The threat actor has leveled persistence attacks against organizations in the Middle East for many years. The group is using a variety of trojans, DNS Tunneling and spear phishing tactics to snare targets.