Karkoff DNS Malware

Karkoff is a newly observed .NET-based malware believed to have been created by the group behind DNSpionage for use as a remote execution tool during these campaigns.

Threat ID:: CC-3037
Category:: Trojan
Threat Severity:: Medium
Threat Vector:: Insecure network
Published:: 25 April 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Karkoff is a newly observed .NET-based malware believed to have been created by the group behind DNSpionage for use as a remote execution tool during these campaigns.

Threat details

During new DNSpionage campaigns, the group will perform extensive reconnaissance, including collecting user and system information, on the affected system before installing Karkoff. They will also check for the presence of several anti-virus products on the system and will not install Karkoff if they are.

Once installed, Karkoff will initiate a new command and control connection using the same infrastructure as previous DNSpionage campaigns, before awaiting further commands.

Remediation steps

Type	Step
	As Karkoff is delivered during active DNSpionage campaigns the same remediation actions should be taken, namely: Implement multi-factor authentication for domain administration tools. Validate A and NS records regularly. Revoke any suspicious or malicious TLS certificates. Additionally, to prevent and detect an infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

As Karkoff is delivered during active DNSpionage campaigns the same remediation actions should be taken, namely:

Implement multi-factor authentication for domain administration tools.
Validate A and NS records regularly.
Revoke any suspicious or malicious TLS certificates.

Additionally, to prevent and detect an infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 14 February 2020 2:50 pm