Learn Something New

DNSpionage Drops New Karkoff Malware

In November 2018, Cisco Talos discovered an attack campaign, called DNSpionage, in which threat actors created a new remote administrative tool that supports HTTP and DNS communication with the attackers' command and control(C2). Since then, there have been several other public reports of additional DNSpionage attacks.

The DNSpionage malware campaign has added a new reconnaissance stage showing that the attackers have become more picky with their targets, as well as a new .NET-based malware dubbed Karkoff and designed to allow them to execute code remotely on compromised hosts.

DNSpionage's new victim survey phase will also allow it to avoid being analyzed by researchers and dropping its malware payloads on sandboxes designed for malware analysis, as detailed by the Warren Mercer and Paul Rascagneres Cisco Talos security researchers.


In our previous post concerning DNSpionage, we showed that the malware author used malicious macros embedded in a Microsoft Word document. In the new sample from Lebanon identified at the end of February, the attacker used an Excel document with a similar macro:



Instead of using the .oracleServices directory, which we had previously observed, the attacker uses a .msdonedrive directory and renames the malware "taskwin32.exe." The scheduled task was also renamed to "onedrive updater v10.12.5."


This new sample is similar to the previous version disclosed in our previous post. The malware supports HTTP and DNS communication to the C2 server. The HTTP communication is hidden in the comments in the HTML code. This time, however, the C2 server mimics the GitHub platform instead of Wikipedia. While the DNS communication follows the same method we described in our previous article, the developer added some new features in this latest version and, this time, the actor removed the debug mode. 


The malware also identifies the username and computer name of the infected system. Finally, it uses the NetWkstaGetInfo() API with the level 100 to retrieve additional info on the system (this is the 64th number, hex 64 is 100 decimal).



DNSpionage will also check if the Avira and Avast anti-malware solutions are installed on the compromised computers and will customize its actions accordingly, ignoring some of its configuration options.

Later on, the researchers stumbled upon a new .NET-based malware distributed by the DNSpionage campaign which they dubbed 'Karkoff' after one of the plain text internal names they discovered. 

"The malware is lightweight compared to other malware due to its small size and allows remote code execution from the C2 server. There is no obfuscation and the code can be easily disassembled," says Cisco Talos.

What makes Karkoff a bit 'special' is the fact that it will log all the commands it executes on the compromised systems — also attaching timestamps to each and every one of them — making its victims' task of detecting the damages it inflicts a lot easier.


DNS hijacking alert issued by the DHS

Domain name system (DNS) is a service which allows users to enter website addresses in the form of domain names instead of having to type in the IP addresses of the webs servers in their web browsers.

Gaining access to the DNS records using DNS hijacking attacks makes it possible for threat actors to redirect their targets' name servers to their own infrastructure, allowing them to funnel their victims to servers they control and compromise them using malware or various malicious tools.

As discovered by Cisco Talos, the DNSpionage attackers' had their sights set on various targets from the Middle East during the initial phase of the attack and launched DNS hijacking attacks against a number of Lebanon and United Arab Emirates government domains.



Thank you for reading this article . also share this article with your friends.


Full article will be available in cisco website so if you can read full article then visit cisco blog.