DNSpionage campaign now delivers Karkoff malware

Threat actors behind a cyber attack campaign DNSpionage have been changing their tactics by delivering a new malware dubbed “Karkoff” in an effort to avoid detection.

Cisco Talos first discovered the DNSpionage campaign back in November of 2018. The bad actors behind the campaign at that time used a new remote administrative tool for managing/supporting HTTPS and DNS communication with command and control (C2) systems under their control.

The Department of Homeland Security issued an alert a couple of months later in January 2019 warning about the increase in DNSpionage cyber attacks. Other public reports warned of similar DNSpionage attacks since late last year.

In the latest report, Talos says the DNSpionage threat actors have changed their tactics again to include a new reconnaissance phase that selectively chooses specific targets to infect with malware. Just this month, Talos spotted the cyber criminals using a new malware they call “Karkoff.

As part of the new reconnaissance phase, the actor drops the payload on specific targets rather than downloaded to every machine.

“This new tactic indicates an improved level of actor sophistication,” Talos added.

Talos described the Karkoff malware as lightweight compared to other malware given its small size. The malware also allows remote code execution from the attacker’s C2 server. Talso added the malware is a Windows service named “MSExchangeClient:

Read more details in the Talos blog post to include new infection documents used, Karkoff payload, indicators of compromise and much more.

You can also check out other DNS-related cyber activities such as Sea Turtle DNS hijacking campaign, DNS hijacking of domains worldwide, and Mami DNS hijacking campaign.