The attack group behind the ongoing DNS-manipulation attacks known as DNSpionage are continuing to update and evolve their tactics and also have begun selectively deploying a new backdoor, especially against targets in the Middle East.
The DNSpionage campaign is a two-pronged wave of attacks that involved both the installation of malware and the redirection of DNS traffic, usually from government agencies. The attacks were uncovered last year when researchers with Cisco’s Talos Intelligence Group discovered the adversaries targeting government agencies and other organizations in Lebanon and the United Arab Emirates. The DNSpionage attackers have focused their energy on that region and has seen some success. In the attacks revealed in November, the attackers were able to redirect the DNS of some government and private organizations and used legitimate Let’s Encrypt certificates in the operation.
Now, the same group is using a new malicious document as part of its infection routine, along with the new backdoor, called Karkoff. The new sample has some similarities with the older ones, but also has some modifications and is contained within an Excel sheet rather than a Word document.
“The malware supports HTTP and DNS communication to the C2 server. The HTTP communication is hidden in the comments in the HTML code. This time, however, the C2 server mimics the GitHub platform instead of Wikipedia. While the DNS communication follows the same method we described in our previous article, the developer added some new features in this latest version and, this time, the actor removed the debug mode,” Warren Mercer and Paul Rascagneres of Talos said in an analysis of the new samples.
“We also discovered that the actor added a reconnaissance phase, likely in response to the significant amount of interest in the campaign. This new phase, which is discussed in greater detail below, ensures that the payload is being dropped on specific targets rather than indiscriminately downloaded on every machine. This new tactic indicates an improved level of actor sophistication.”
"We have high confidence the same actor uses the Karkoff and DNSpionage samples."
Attackers, especially high-level ones, will change their tactics and techniques regularly in an effort to stay ahead of defenders and security researchers. The DNSpionage actors are no exception, as they appear to have shifted some of their operations. The changes include not just new malicious documents, but also the deployment of the Karkoff backdoor. The Talos researchers discovered Karkoff earlier this month and found some interesting characteristics, such as the inclusion of a log file for commands the malware executes and hard-coded command-and-control server addresses.
“The malware is lightweight compared to other malware due to its small size and allows remote code execution from the C2 server. There is no obfuscation and the code can be easily disassembled. The malware is a Windows service named ‘MSExchangeClient:’,” Mercer and Rascagneres said.
Two of the C2 servers that Karkoff uses also were used by the DNSpionage malware in September.
“Based on these overlaps in IP usage during the same time period, we have high confidence the same actor uses the Karkoff and DNSpionage samples,” the researchers said.
Mercer and Rascagneres also noted that there may be a connection between the DNSpionage attackers and the OilRig tools that were leaked last week. OilRig, also known as APT34, is a well-known attack group that has been linked to the Iranian intelligence service. An unknown person or group recently began publishing tools used by OilRig, along with identifying information about the team’s victims and some of its operators. Part of the leak is a screenshot of a C2 panel that included a URL that was remarkably similar to one found in a panel used by the DNSpionage group.
“The panel path of the leak and Django internal variables of the DNSpionage C2 server are very similar: /Th!swasP@NEl and /Th!sIsP@NeL. While this single panel path is not enough to draw firm conclusions, it is worth highlighting for the security research community as we all continue to investigate these events,” Mercer and Rascagneres said.