The hackers behind the DNSpionage campaign have released a new malware into the wild that chooses their own targets. DNSpionage was first discovered last year end by Cisco Talos and it makes use of fake websites and specializes in DNS tampering to redirect traffic from authorized domains to malicious ones. The hackers also use free Let’s Encrypt security certificates for redirected domains.
The earlier attacks were made against private Lebanese targets which includes airline and also government domains used by Lebanon and the United Arab Emirates.
According to Talos, the hacking group has created a new remote administration tool that supports HTTP and DNS communication with their command-and-control (C2) server.
DNSpionage has now reconstructed their attacking techniques by a new reconnaissance stage to avoid being detected by researchers and to create a “fingerprint” for victim systems.
The targets are chosen selectively and they receive spear phishing messages with a malicious Microsoft Word and Excel documents containing malicious macros.
DNSpionage, when executed through the macros, is renamed as “taskwin32.exe” and a scheduled task designed to maintain persistence is named “onedrive updater v10.12.5.” Strings are also split to obfuscate the malware’s code.
Initially the malicious code tries to insert a Windows batch file to execute WMI commands and get the list of the machine’s running process and also the funnel platform-specific information to the C2.
DNSpionage then searches for antivirus products, mainly Avira and Avast. If any of them is found, some configurations will be ignored before infecting.
The new Karkoff .Net malware discovered by the Talos researchers is “lightweight” and allows remote code execution through the C2. Karkoff creates a log file in which the executed commands with timestamps are stored. When companies become victim to Karkoff, they can use this file to review what had happened.
It is possible that DNSpionage may be connected to OilRig which is a threat group that has performed persistent attacks against targets in the Middle East for several years. OilRig was first discovered in 2016 and have used a variety of Trojans, DNS tunneling, and spear phishing tactics to snare targets.
According to Talos there is a small link between this group and DNSpionage based on similar URL fields. However, it cannot be confirmed at this stage whether they are same or not or are working together.
Making new developments to the DNSpionage malware shows that the attacker might again find other ways to avoid detection.