Monday, December 9, 2024
HomeComputer SecurityHackers Behind DNSpionage Created a New Remote Admin Tool for C2 Server...

Hackers Behind DNSpionage Created a New Remote Admin Tool for C2 Server Communication Over HTTP and DNS

Published on

SIEM as a Service

Threat actors behind the new malware campaign DNSpionage created a new remote administrative tool that supports HTTP and DNS communication with C&C Server that operates by attackers.

Based on a recent incident, the DNSpionage campaign which is developed and operates by APT 34 hacking group to perform MITM Attack to steal the authentication details through Hijacking the DNS.

Malware authors behind this campaign continuously employed new tactics to evade the detection and increase the success ratio of the infection and compromise the targets.

- Advertisement - SIEM as a Service

At this new DNSpionage campaign, Threat actors developed a new malware called “Karkoff.

Infection Process and Communication

The initial stage of this new wave, attackers used an Excel document with a macro and they deploy newly developed remote Admin Tool that supports HTTP and DNS communication to the C2 server.

Threat actor added a reconnaissance phase to ensure that the payload is being dropped on specific targets.

A future that added within this malware search for two Anti-Virus software
Avira and Avast and check whether any of these security products are installed on the system and terminate its process if the result will be positive.

According to Talos Report, Te malware author left two different internal names in plain text: “DropperBackdoor” and “Karkoff”, the malware is lightweight compared to other malware due to its small size and allows remote code execution from the C2 server. 

During the C2 server communication phase, the malware uses either domain or IP address and also it supports both HTTP and HTTPS communications.

In order to obfuscate the C2 server communication, malware using base64 encoding, and also using XOR function for other obfuscation processes.

Based on the timeline of observed attacks and overlaps in IP usage during the DNSpionage campaign, Researchers believe that the same actor uses the Karkoff and DNSpionage samples.

“Also there is similar evidence indicates that DNSpionage may be a part of OilRig and we identified the C2 panel as “Scarecrow,” but we did not identify references to this panel in the leak. The victims in this screenshot are mainly from Lebanon, which is one of the areas targeted by DNSpionage and Karkoff” Talos Said.”

“The discovery of Karkoff also shows the actor is pivoting and is increasingly attempting to avoid detection while remaining very focused on the Middle Eastern region.”

Also, the Department of Homeland Security (DHS) issued a DNS hijacking campaign alert requiring all U.S. agencies to check if their .gov or agency-managed domains are resolving to the right IP addresses.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Indicator of Compromise

DNSpionage XLS document

2fa19292f353b4078a9bf398f8837d991e383c99e147727eaa6a03ce0259b3c5 (SHA256)

DNSpionage sample

e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8 (SHA256)

Karkoff samples

5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c
6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11
b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04
cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...