DNSpionage Drops New Karkoff Malware, Cherry-Picks Its Victims

The DNSpionage malware campaign has added a new reconnaissance stage showing that the attackers have become more picky with their targets, as well as a new .NET-based malware dubbed Karkoff and designed to allow them to execute code remotely on compromised hosts.

DNSpionage's new victim survey phase will also allow it to avoid being analyzed by researchers and dropping its malware payloads on sandboxes designed for malware analysis, as detailed by the Warren Mercer and Paul Rascagneres Cisco Talos security researchers.

As further unearthed by Cisco Talos back in November, the DNSpionage attack campaign uses a custom remote administrative tool that makes it possible to communicate with its command-and-control (C2) servers via HTTP and DNS channels and also gives the name of the malware campaign.

Besides the DNSpionage malware, the hacking group behind the campaign also uses the Mimikatz credential dumper, various off-the-shelf administration tools, the Bitvise WinSSH SSH server, a number of open source hacking tools, and the Putty program for SSH tunneling within the same network, as detailed by the French security researchers from CERT-OPMD which also provide a ATT&CK Matrix mapping for DNSpionage attacks.

New malicious tools designed to improve attack efficiency

Since the initial report, the hackers behind the DNSpionage campaign have improved their attack methods and expanded their malicious toolset, as learned by Cisco Talos during February when they spotted new and updated malware being dropped during the attacks.

More to the point, as part of the new reconnaissance phase added to the campaign, "the malware drops a Windows batch file (a.bat) in order to execute a WMI command and obtain all the running processes on the victim's machine." This, coupled with a NetWkstaGetInfo() API request, allows it to collect workstation environment info designed to fingerprint the victim's machine.

The attackers also improved the malware's capability of hiding its activity by splitting API calls effectively breaking Yara rules designed to detect malicious activity based on specific strings.

DNSpionage will also check if the Avira and Avast anti-malware solutions are installed on the compromised computers and will customize its actions accordingly, ignoring some of its configuration options.

Later on, the researchers stumbled upon a new .NET-based malware distributed by the DNSpionage campaign which they dubbed 'Karkoff' after one of the plain text internal names they discovered. 

"The malware is lightweight compared to other malware due to its small size and allows remote code execution from the C2 server. There is no obfuscation and the code can be easily disassembled," says Cisco Talos.

What makes Karkoff a bit 'special' is the fact that it will log all the commands it executes on the compromised systems — also attaching timestamps to each and every one of them — making its victims' task of detecting the damages it inflicts a lot easier.

Cisco Talos was able to link the new Karkoff malware with the DNSpionage campaign after noticing that their infrastructures overlap, both using rimrun[.]com as a C2 server with IP addresses previously used by the attackers for assets connected to their malware campaign.

DNS hijacking alert issued by the DHS

Domain name system (DNS) is a service which allows users to enter website addresses in the form of domain names instead of having to type in the IP addresses of the webs servers in their web browsers.

Gaining access to the DNS records using DNS hijacking attacks makes it possible for threat actors to redirect their targets' name servers to their own infrastructure, allowing them to funnel their victims to servers they control and compromise them using malware or various malicious tools.

As discovered by Cisco Talos, the DNSpionage attackers' had their sights set on various targets from the Middle East during the initial phase of the attack and launched DNS hijacking attacks against a number of Lebanon and United Arab Emirates government domains.

Earlier this year and following the DNS hijacks reported by the Cisco Talos Group, FireEye, and CrowdStrike, the Department of Homeland Security (DHS) issued a DNS infrastructure hijacking campaign alert requiring all U.S. agencies to check if their .gov or agency-managed domains are resolving to the right IP addresses.

Additionally, just last week, Cisco Talos' research team also disclosed details regarding 'Sea Turtle', a state-sponsored attack campaign that used DNS hijacking to compromise around 40 public and private organizations from 13 countries.