DNSpionage campaign releases new Karkoff malware into the wild

In a change of tactic, victims are also now being selectively targeted.

L0rdix, the Swiss Army knife of Windows hacking, available for purchase in the Dark Web The new tool combines data theft and cryptocurrency mining as a go-to product for attacking Windows machines.

The hacking group behind the DNSpionage campaign have become more choosy in their targets and have released a new form of malware to further their goals.

DNSpionage, first discovered in late 2018 by Cisco Talos, utilizes fake websites and specializes in DNS tampering to redirect traffic from legitimate domains to malicious ones. The threat actors also make use of free Let's Encrypt security certificates for redirected domains.

Past attacks have been detected against private Lebanese targets including an airline, alongside government domains used by Lebanon and the United Arab Emirates (UAE).

The group has now created a new remote administration tool that supports HTTP and DNS communication with their command-and-control (C2) server, according to a new Talos blog post published on Tuesday.

Since the original report, DNSpionage has now revamped its attack methods with a new reconnaissance stage in order to avoid detection by researchers and to create a "fingerprint" for victim systems.

Targets are selectively chosen and become recipients of spear phishing messages containing a malicious Microsoft Word and Excel documents containing malicious macros.

DNSpionage, when executed through the macros, is renamed as "taskwin32.exe" and a scheduled task designed to maintain persistence is named "onedrive updater v10.12.5." Strings are also split to obfuscate the malware's code.

The malicious code first aims to drop a Windows batch file to execute WMI commands and obtain a list of a machine's running process, as well as funnel platform-specific information to the C2.

See also: Trojanized TeamViewer used in government, embassy attacks across Europe

DNSpionage will then search for antivirus products; specifically, Avira and Avast. If either product is detected, certain configurations will be ignored before proceeding with the infection.  

It was this month that Talos researchers discovered the new Karkoff .Net malware. The team says that the malware is "lightweight" and permits remote code execution through the C2. There is no obfuscation in play so Karkoff is easily picked apart.

The malware does have an interesting element, however, in that Karkoff generates a log file which stores executed commands with timestamps. If organizations fall victim to Karkoff, they would be able to use this file to review exactly what happened, and where.

There are infrastructure overlaps between DNSpionage and Karkoff, including IPs connected to a Karkoff C2 server in which usage of the IPs by Karkoff and DNSpionage tie well with observed attack timelines.

TechRepublic: Small business owners: Don't rush into using AI

It does appear that DNSpionage may have a sense of humor -- or at least some form of contempt for the cybersecurity industry. For example, in one malicious Excel document obtained by Talos, users are greeted with the insult "haha you are donkey." Another indicator is that the domain used for the C2 does not even try to appear legitimate, as it uses the name coldfart.com and is hosted in the United States -- unusual moves for a campaign trying to operate under the radar.

It is possible that DNSpionage may be connected to OilRig, a threat group that has maintained persistent attacks against targets in the Middle East for a number of years. OilRig was first discovered in 2016 and uses a variety of Trojans, DNS tunneling, and spear phishing tactics to snare targets.

CNET: Hackers hit Atlanta Hawks shop with malware that steals credit card information

Talos says there is a "weak" link between this group and DNSpionage based on similar URL fields, but it is not possible at this stage to confirm whether or not they are one and the same, or are working together.

"The threat actor's ongoing development of DNSpionage malware shows that the attacker continues to find new ways to avoid detection," the researchers say. "The oddities we mentioned are certainly not normal, but the payload was clearly updated to attempt to remain more elusive."

In related news, Iranian hacking tools were recently leaked on Instagram. As ZDNet has previously reported, a leaker involved in the situation claimed to be associated with DNSpionage campaign, but this has not been confirmed.

Previous and related coverage