New Karkoff Malware Released By Hackers Involved In The DNSpionage Campaign

Cybercriminals behind the DNSpionage malware campaign have now launched a new malware strain dubbed Karkoff. The DNSpionage campaign was first detected in late 2018 and saw hackers target government and private entities across the UAE and Lebanon.

The hacker group behind DNSpionage has been constantly evolving, altering attack tactics and adding new tools to its campaign. According to security experts at Cisco Talos, who uncovered the campaign and the new Karkoff malware, the hackers behind this campaign may be linked to the OilRig hacker group aka APT34.

The OilRig hackers' campaign was first discovered in 2016. This advanced persistent threat (APT) group is known to use DNS tunnelling, a wide variety of malware and phishing to target attacks. Earlier this month, a mysterious group of hackers began leaking APT34's toolset.

"It looks like either a disgruntled insider is leaking tools from APT34 operators, or it’s a Shadow Brokers–esque sort of entity interested in disrupting operations for this particular group," Brandon Levene, head of applied intelligence at the security firm Chronicle, told Wired. "They do seem to have something out for these guys. They’re naming and shaming, not just dropping tools."

In order to ensure that their attack campaign is effective, the hackers created the Karkoff malware, which is a remote administrative tool (RAT). Karkoff supports HTTP and DNS communication to the command and control (C2) server. The malware also contains a reconaissance phase that allows the attackers to drop the malicious payload on specific targets.

Apart from its ability to steal a targeted system's information, the Karkoff malware is also capable of detecting and avoiding any sandboxing environments. This feature allows the malware to function optimally while evading detection.

According to Cisco Talos researchers, the threat actors behind the DNSpionage campaign appear to be poking fun at the infosec community. The hackers were found taunting security researchers, which the experts say is not an unusual behaviour. In one instance, the hackers created an Excel document that greeted those that opened it with the words "haha you are donkey". However, researchers suggested that the broken English used, may suggest that the hackers may not be native English speakers.

"The threat actor's ongoing development of DNSpionage malware shows that the attacker continues to find new ways to avoid detection. The oddities we mentioned are certainly not normal, but the payload was clearly updated to attempt to remain more elusive. The discovery of Karkoff also shows the actor is pivoting and is increasingly attempting to avoid detection while remaining very focused on the Middle Eastern region," Cisco Talos researchers said.