Threat actors behind the new malware campaign DNSpionage created a new remote administrative tool that supports HTTP and DNS communication with C&C Server that operates by attackers.
Malware authors behind this campaign continuously employed new tactics to evade the detection and increase the success ratio of the infection and compromise the targets.
At this new DNSpionage campaign, Threat actors developed a new malware called “Karkoff.
Infection Process and Communication
The initial stage of this new wave, attackers used an Excel document with a macro and they deploy newly developed remote Admin Tool that supports HTTP and DNS communication to the C2 server.
Threat actor added a reconnaissance phase to ensure that the payload is being dropped on specific targets.
A future that added within this malware search for two Anti-Virus software
Avira and Avast and check whether any of these security products are installed on the system and terminate its process if the result will be positive.
According to Talos Report, Te malware author left two different internal names in plain text: “DropperBackdoor” and “Karkoff”, the malware is lightweight compared to other malware due to its small size and allows remote code execution from the C2 server.
During the C2 server communication phase, the malware uses either domain or IP address and also it supports both HTTP and HTTPS communications.
In order to obfuscate the C2 server communication, malware using base64 encoding, and also using XOR function for other obfuscation processes.
Based on the timeline of observed attacks and overlaps in IP usage during the DNSpionage campaign, Researchers believe that the same actor uses the Karkoff and DNSpionage samples.
“Also there is similar evidence indicates that DNSpionage may be a part of OilRig and we identified the C2 panel as “Scarecrow,” but we did not identify references to this panel in the leak. The victims in this screenshot are mainly from Lebanon, which is one of the areas targeted by DNSpionage and Karkoff” Talos Said.”
“The discovery of Karkoff also shows the actor is pivoting and is increasingly attempting to avoid detection while remaining very focused on the Middle Eastern region.”
Also, the Department of Homeland Security (DHS) issued a DNS hijacking campaign alert requiring all U.S. agencies to check if their .gov or agency-managed domains are resolving to the right IP addresses.
Indicator of Compromise
DNSpionage XLS document