The DNSpionage malware campaign has added a new reconnaissance stage showing that the attackers have become more picky with their targets, as well as a new .NET-based malware dubbed Karkoff and designed to allow them to execute code remotely on compromised hosts.
DNSpionage's new victim survey phase will also allow it to avoid being analyzed by researchers and dropping its malware payloads on sandboxes designed for malware analysis, as detailed by the Warren Mercer and Paul Rascagneres Cisco Talos security researchers.
As further unearthed by Cisco Talos back in November, the DNSpionage attack campaign uses a custom remote administrative tool that makes it possible to communicate with its command-and-control (C2) servers via HTTP and DNS channels and also gives the name of the malware campaign.
New malicious tools designed to improve attack efficiency
Since the initial report, the hackers behind the DNSpionage campaign have improved their attack methods and expanded their malicious toolset, as learned by Cisco Talos during February when they spotted new and updated malware being dropped during the attacks.
More to the point, as part of the new reconnaissance phase added to the campaign, "the malware drops a Windows batch file (a.bat) in order to execute a WMI command and obtain all the running processes on the victim's machine." This, coupled with a NetWkstaGetInfo() API request, allows it to collect workstation environment info designed to fingerprint the victim's machine.
The attackers also improved the malware's capability of hiding its activity by splitting API calls effectively breaking Yara rules designed to detect malicious activity based on specific strings.