DNSpionage Brings Out the Karkoff
(Apr 23, 2019)
A new campaign distributing a malware called, "Kirkoff," has been found to have similarities to the campaign targeting Middle Eastern entities that began in November 2018, called "DNSpionage." DNSpionage utilised a new Remote Administration Tool (RAT) capable of supporting HTTP and DNS communication with the threat actors' Command and Control (C2) server. The new campaign utilises a phishing email with an Excel document attached, and requests macros to be enabled to view properly. If macros are enabled, a payload is dropped that establishes a connection to the C2 server which mimics the GitHub platform to hide its activity. Kirkoff, similar to DNSpionage techniques, supports both HTTP and DNS communication, and this campaign has also added a reconnaissance phase into it to ensure that the payload is dropped on specific targets rather than indiscriminately infect any machine.
Recommendation: This campaign serves as a reminder to avoid documents that request macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.