Karkoff DNS Malware

Karkoff is a newly observed .NET-based malware believed to have been created by the group behind DNSpionage for use as a remote execution tool during these campaigns.

During new DNSpionage campaigns, the group will perform extensive reconnaissance, including collecting user and system information, on the affected system before installing Karkoff. They will also check for the presence of several anti-virus products on the system and will not install Karkoff if they are.

Once installed, Karkoff will initiate a new command and control connection using the same infrastructure as previous DNSpionage campaigns, before awaiting further commands.

The domain used for the C2 is also bizarre. The previous version of DNSpionage attempted to use legitimate-looking domains in an attempt to remain undetected. However, this newer version uses the domain “coldfart[.]com,” which would be easier to spot than other APT campaigns which generally try to blend in with traffic more suitable to enterprise environments. The domain was also hosted in the U.S., which is unusual for any espionage-style attack.

coldfart.com website

Affected Platforms​​​​​​

DNS Servers

Indicators of Compromise (IOCs)

The following IOCs are associated to this campaign:

DNSpionage XLS document

2fa19292f353b4078a9bf398f8837d991e383c99e147727eaa6a03ce0259b3c5 (SHA256)

DNSpionage sample

e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8 (SHA256)

Karkoff samples

5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c
6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11
b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04
cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5

C2 server

coldfart[.]com
rimrun[.]com
kuternull[.]com

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:

Notice: ob_end_flush(): failed to send buffer of zlib output compression (0) in /home/systemte/public_html/wp-includes/functions.php on line 4339