Threat Management, Threat Intelligence, Network Security

DNSpionage actors adjust tactics, debut new remote administration tool

The actors responsible for the DNSpionage DNS hijacking campaign have altered some of their tactics, techniques and procedures (TTPs), introducing a new reconnaissance phase as well as a new malicious remote administration tool called Karkoff.

Discovered last November, the operation primarily targets Lebanon- and United Arab Emirates-affiliated .gov domains, commandeering the websites' DNS servers so that visitors are redirected to a malicious Internet address that harvests users' login credentials, for espionage purposes. The threat actors initially accomplish this compromise by infecting their targets via phony documents with malicious attachments.

The campaign, which has prompted warnings from the Department of Homeland Security and the Internet Corporation for Assigned Names and Numbers ICANN, has been potentially linked to Iran's Ministry of Intelligence, and now a new blog post from Cisco Systems' Talos division has revealed yet another possible connection, while also detailing DNSpionage's newly adopted TTPs.

Talos first observed the Karkoff payload earlier this month. In their report, researchers Warren Mercer and Paul Rascagneres describe it as lightweight, .NET-based program that enables remote code execution from a command-and-control server, whose domain is hard-coded into the malware. Similar to past malware used by the DNSpionage actors, the tool supports HTTP, HTTPS and DNS communication with the C2 server, and its communication is hidden in comments in the HTML code. (Except here, the C2 server impersonates the GitHub platform instead of Wikipedia, as was the case previously.)

Strangely, this malware generates a log file in which the executed commands are timestamped -- which gives threat responders an easy way to track the attackers' actions if and when they are detected. But that's not the only bizarre element to this campaign: the C2 server was spotted used the domain coldfart[.]com -- not exactly the most legit-sounding name.

Also, the infection process includes a new reconnaissance phase that attempts to avoid sandbox environments and reduce the odds of discovery by ensuring the payload is delivered only when it is advantageous to the attackers. According to Talos, the malware collects information such as an infected machine's username, computer name, running processes, workstation environment, domain name and operation system information.

As additional defenses, the actor splits API call and internal strings to prevent static analysis, and has programmed the malware to search for and flag machines with Avira and Avast security products installed.

Talos also notes that Karkoff's shares some C2 infrastructure with past DNSpionage activity, but perhaps an even more interesting discovery is a possible connection to the Iran-linked threat actor OilRig, whose malicious tools were recently leaked online by the hacking group Lab Dookhtegan.

"Information from the leak provides a weak link between Oilrig and the DNSpionage actors based on similar URL fields. While not definitive, it is an interesting data point to share with the research community," the blog post states. Also, the leak included a repository named "webmask_dnspionage" repository and C2 panel screenshots showing a list of victims that are primarily from Lebanon -- a key DNSpionage target.

And, finally, Talos noticed that a URL visible in one of the leaked documents contained a variable value that was previously observed in relation to DNSpionage's C2 server. "While this single panel path is not enough to draw firm conclusions, it is worth highlighting for the security research community as we all continue to investigate these events."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.