Cisco Talos has revealed in a report that the new campaign initiated by a group of hackers responsible for DNSpionage earlier that uses malware to infiltrate target firms. The malware has the capability to use both regular http and dns-based communication to its command and control servers, moving data stolen from computers to the custody of its authors, as part of the group’s espionage activities. It is considered as a continuation of the DNSpionage campaign when the Talos team has observed the use of macro-enabled Microsoft Word document and macro-enabled Excel spreadsheet with embedded code. Another variant also names itself as taskwin32.exe, with a counterpart Scheduled Task entry named “onedrive updater v10.12.5.”
“The malware supports HTTP and DNS communication to the C2 server. The HTTP communication is hidden in the comments in the HTML code. This time, however, the C2 server mimics the GitHub platform instead of Wikipedia. While the DNS communication follows the same method we described in our previous article, the developer added some new features in this latest version and, this time, the actor removed the debug mode,” explained Warren Mercer, Technical Leader of Cisco Talos team, one of the authors of the report.
A certain variant of the attack comes with the .Net-based Karkoff malware, with the possibility goal of slimming down the footprint of the cyber attack. Karkoff provides the attackers one distinct advantage, remote code execution feature which can be launched from command and control servers. Karkoff registers in the Windows Service list as a “system service” named MSExchangeClient.
“From an incident response point of view, it’s interesting to note that the malware generates a log file: C:\\Windows\\Temp\\MSEx_log.txt. The executed commands are stored in this file (xored with ‘M’) with a timestamp. This log file can be easily used to create a timeline of the command execution which can be extremely useful when responding to this type of threat. With this in mind, an organisation compromised with this malware would have the opportunity to review the log file and identify the commands carried out against them,” added Paul Rascagneres, Mercer’s team mate in Cisco Talos team.
The Cisco Talos team has revealed the IP addresses used by the Command and Control servers. The attackers often change them in order to make security experts from easily detecting them:
108.62.141[.]247 -> from 12/19/18 to 4/13/19
209.141.38[.]71 -> on 12/26/18
107.161.23[.]204 -> on 12/26/18
192.161.187[.]200 -> on 12/26/18
107.161.23[.]204 was used by 0ffice360[.]com on 9/21/18
209.141.38[.]71 was used by hr-wipro[.]com on 9/26/18
192.161.187[.]200 was used by 0ffice360[.]com on 9/21/18
“These dates also match the timeline of observed attacks during the DNSpionage campaign. Based on these overlaps in IP usage during the same time period, we have high confidence the same actor uses the Karkoff and DNSpionage samples,” concluded Mercer.