Pierluigi Paganini April 24, 2019

Iran-linked OilRig cyberespionage group is using the reconnaissance malware Karkoff along with DNSpionage in recent campaigns.Iran-linked OilRig cyberespione group is using the reconnaissance malware Karkoff along with DNSpionage in recent campaigns.

The OilRig APT group, the threat actor behind the DNSpionage malware campaign, is carrying out a new sophisticated and targeted operation that infects victims with a new variant of the dreaded malware.

DNSpionage is a custom RAT that uses HTTP and DNS communication to connect with the C&C server.

Threat actors distributed the malware through compromised websites and weaponized documents.

“In February, we discovered some changes to the actors’ tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware.” reads the analysis published by Talos. “In April 2019, we also discovered the actors using a new malware, which we are calling “Karkoff.” reads the analysis published by Talos.

According to Cisco Talos threat research team, the attackers are leveraging on new tactics, techniques, and procedures to improve the efficacy of their operations.

Unlike previous attacks, the group is now using a new malware, tracked as Karkoff, for reconnaissance purposes. Karkoff is used by hackers to surgically select a target and remain under the radar, it allows to gather system information related to the workstation environment, operating system, domain, and list of running processes on the victims’ machine.

Karkoff is developed in .NET, it also allows attackers to remotely execute arbitrary code on compromised hosts.

The experts link the DNSpionage and Karkoff malware after observing overlaps between their C2 infrastructure.

Experts noticed that the malware searches for two specific anti-virus solutions, Avira and Avast. If one of them is installed on the target system, a specific flag will be set, and some options from the configuration file will be ignored.

Researchers at Talos noticed that the Karkoff malware generates a log file on the compromised machine which tracks all commands it has executed and related timeline.

“From an incident response point of view, it’s interesting to note that the malware generates a log file: C:\\Windows\\Temp\\MSEx_log.txt. The executed commands are stored in this file (xored with ‘M’) with a timestamp.” continues the experts. “This log file can be easily used to create a timeline of the command execution which can be extremely useful when responding to this type of threat. With this in mind, an organisation compromised with this malware would have the opportunity to review the log file and identify the commands carried out against them.” “

Attackers behind the DNSpionage campaigns continue to be focused on entities in the Middle Eastern region, including Lebanon and the United Arab Emirates (UAE).

“The threat actor’s ongoing development of DNSpionage malware shows that the attacker continues to find new ways to avoid detection.” “DNS tunneling is a popular method of exfiltration for some actors and recent examples of DNSpionage show that we must ensure DNS is monitored as closely as an organization’s normal proxy or weblogs.” concludes Talos. “The discovery of Karkoff also shows the actor is pivoting and is increasingly attempting to avoid detection while remaining very focused on the Middle Eastern region.”

Pierluigi Paganini

(SecurityAffairs – hacking, DNSpionage)

[adrotate banner=”5″]

[adrotate banner=”13″]