Karkoff is a newly observed .NET-based malware believed to have been created by the group behind DNSpionage for use as a remote execution tool during these campaigns.
During new DNSpionage campaigns, the group will perform extensive reconnaissance, including collecting user and system information, on the affected system before installing Karkoff. They will also check for the presence of several anti-virus products on the system and will not install Karkoff if they are.
Once installed, Karkoff will initiate a new command and control connection using the same infrastructure as previous DNSpionage campaigns, before awaiting further commands.
The domain used for the C2 is also bizarre. The previous version of DNSpionage attempted to use legitimate-looking domains in an attempt to remain undetected. However, this newer version uses the domain “coldfart[.]com,” which would be easier to spot than other APT campaigns which generally try to blend in with traffic more suitable to enterprise environments. The domain was also hosted in the U.S., which is unusual for any espionage-style attack.
Indicators of Compromise (IOCs)
The following IOCs are associated to this campaign:
DNSpionage XLS document
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.