DNSpionage Actors Adjust Tactics, Debut New RAT

The actors responsible for the DNSpionage DNS hijacking campaign have altered some of their tactics, techniques and procedures (TTPs), introducing a new reconnaissance phase as well as a new malicious remote administration tool called Karkoff.

Discovered last November, the operation primarily targets Lebanon- and United Arab Emirates-affiliated .gov domains, commandeering the websites’ DNS servers so that visitors are redirected to a malicious Internet address that harvests users’ login credentials, for espionage purposes. The threat actors initially accomplish this compromise by infecting their targets via phony documents with malicious attachments.

The campaign, which has prompted warnings from the Department of Homeland Security and the Internet Corporation for Assigned Names and Numbers ICANN, has been potentially linked to Iran’s Ministry of Intelligence, and now a new blog post from Cisco Systems’ Talos division has revealed yet another possible connection, while also detailing DNSpionage’s newly adopted TTPs.

Talos first observed the Karkoff payload earlier this month. In their report, researchers Warren Mercer and Paul Rascagneres describe it as lightweight, .NET-based program that enables remote code execution from a command-and-control server, whose domain is hard-coded into the malware. Similar to past malware used by the DNSpionage actors, the tool supports HTTP, HTTPS and DNS communication with the C2 server, and its communication is hidden in comments in the HTML code. (Except here, the C2 server impersonates the GitHub platform instead of Wikipedia, as was the case previously.)

Strangely, this malware generates a log file in which the executed commands are timestamped — which gives threat responders an easy way to track the attackers’ actions if and when they are detected. But that’s not the only bizarre element to this campaign: the C2 server was spotted used the domain coldfart[.]com — not exactly the most legit-sounding name.

Also, the infection process includes a new reconnaissance phase that attempts to avoid sandbox environments and reduce the odds of discovery by ensuring the payload is delivered only when it is advantageous to the attackers. According to Talos, the malware collects information such as an infected machine’s username, computer name, running processes, workstation environment, domain name and operation system information.

As additional defenses, the actor splits API call and internal strings to prevent static analysis, and has programmed the malware to search for and flag machines with Avira and Avast security products installed.

Talos also notes that Karkoff’s shares some C2 infrastructure with past DNSpionage activity, but perhaps an even more interesting discovery is a possible connection to the Iran-linked threat actor OilRig, whose malicious tools were recently leaked online by the hacking group Lab Dookhtegan.

“Information from the leak provides a weak link between Oilrig and the DNSpionage actors based on similar URL fields. While not definitive, it is an interesting data point to share with the research community,” the blog post states. Also, the leak included a repository named “webmask_dnspionage” repository and C2 panel screenshots showing a list of victims that are primarily from Lebanon — a key DNSpionage target.

And, finally, Talos noticed that a URL visible in one of the leaked documents contained a variable value that was previously observed in relation to DNSpionage’s C2 server. “While this single panel path is not enough to draw firm conclusions, it is worth highlighting for the security research community as we all continue to investigate these events.”