The cybercriminal group behind the infamous DNSpionage malware campaign have become more selective in choosing their targets and is trying to improve the efficacy of it's operations by changing tactics, techniques and procedures. According to Cisco’s Talos team, which is tracking the activity of the group since November 2018, hackers have adopted a new tactic that selectively chooses which targets to infect with malware.

First uncovered in November last year, the DNSpionage campaign used compromised sites, DNS hijacking and crafted malicious documents to infect victims' computers with DNSpionage - a custom remote administrative tool that uses HTTP and DNS communication to communicate with the attacker’s command and control (C&C) server. In April 2019, the researchers discovered that the group have switched to a new malware, which they dubbed "Karkoff."

Like the previous version, the new sample supports HTTP and DNS communication to the C&C server. The HTTP communication is hidden in the comments in the HTML code, and while the DNS communication method remained the same, an author added some new features, including the ability to perform reconnaissance on it’s victims. This stage ensures that the payload is dropped on specific targets rather than downloaded on every machine.

The attack begins with a spearphishing email, which contains a new Microsoft Excel document with practically the same macros that was used in previous attacks, although slight changes have been made in the use of the directories and the scheduled task names. The next stage downloads "Karkoff" malware developed in .NET. The researchers note that it is particularly small and lightweight compared to the other malware. "Karkoff" supports C&C server-directed remote code execution through HTTP, HTTPs, and DNS communication.

On a Windows system the malware disguised itself as a service named “MSExchangeClient”. It doesn’t use any form of obfuscation so the code can be easily disassembled. The malware searches for two specific anti-virus platforms: Avira and Avast. If one of these AVs is installed and running on the system "Karkoff" ignores some configuration options before proceeding with the infection.

What is interesting, "Karkoff" generates a log file where it stores all the executed commands with the timestamps. So should organizations fall victim to the attacks they would be able to trace back the activity of malware and evaluate possible damage.

The researchers have connected Karkoff with DNSpionage through the history of the IPs used for the C&C server domain (rimrun[.]com) that points to a clear infrastructure overlap. Also they have found a weak link between DNSpionage and OilRig - a threat group that have been known for its numerous attacks against targets in the Middle East, but at this stage the researchers are not sure, if these two are one and the same or they are working together.

INDICATORS OF COMPROMISE (IOCS)

The following IOCs are associated to this campaign:

DNSpionage XLS document

2fa19292f353b4078a9bf398f8837d991e383c99e147727eaa6a03ce0259b3c5 (SHA256) DNSpionage sample

e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8 (SHA256)

Karkoff samples

5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11 b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04 cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5

C2 server

coldfart[.]com rimrun[.]com kuternull[.]com