DNSpionage Drops New Karkoff Malware, Cherry-Picks Its Victims

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
The DNSpionage malware campaign has added a new reconnaissance stage showing that the attackers have become more picky with their targets, as well as a new .NET-based malware dubbed Karkoff and designed to allow them to execute code remotely on compromised hosts.

DNSpionage's new victim survey phase will also allow it to avoid being analyzed by researchers and dropping its malware payloads on sandboxes designed for malware analysis, as detailed by the Warren Mercer and Paul Rascagneres Cisco Talos security researchers.

As further unearthed by Cisco Talos back in November, the DNSpionage attack campaign uses a custom remote administrative tool that makes it possible to communicate with its command-and-control (C2) servers via HTTP and DNS channels and also gives the name of the malware campaign.
... ...
New malicious tools designed to improve attack efficiency

Since the initial report, the hackers behind the DNSpionage campaign have improved their attack methods and expanded their malicious toolset, as learned by Cisco Talos during February when they spotted new and updated malware being dropped during the attacks.

More to the point, as part of the new reconnaissance phase added to the campaign, "the malware drops a Windows batch file (a.bat) in order to execute a WMI command and obtain all the running processes on the victim's machine." This, coupled with a NetWkstaGetInfo() API request, allows it to collect workstation environment info designed to fingerprint the victim's machine.

The attackers also improved the malware's capability of hiding its activity by splitting API calls effectively breaking Yara rules designed to detect malicious activity based on specific strings.
... ...
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top