New .NET-based Malware Karkoff Intelligently Adapts to Security Settings

[harlan4096]

Here’s how the new malware works and how to stay safe

Recent news from the global community of cybersecurity researchers revealed a new type of .NET-based malware, dubbed Karkoff, part of the DNSpionage malware campaign. The worrisome reports on how this Karkoff malware operates highlight that the script is capable of adapting to security settings of its victims. This makes it particularly difficult to identify and remove from systems once it’s in.

The malware campaign that Karkoff is a part of, dubbed DNSpionage because it’s capable of communicating with its C2 centers (command-and-control) via HTTP and DNS channels, has been investigated by researchers since November 2018. However, the new Karkoff strain of malware from within this DNSpionage family, and what it is capable of, have just been discovered and made public knowledge on the 23rd of April 2019.

What is troublesome about the Karkoff malware strain is that it seems capable to intelligently scan a target’s computer for vulnerabilities and then adapt to it. For example, it will check if some well-known anti-malware solutions (for example Avast) are installed in the targeted system and then it will customize its own actions so it can bypass detection.

This means that we truly reached an age in which anti-virus is not enough anymore, as a reactive defensive mechanism which only responds based on a list of known infected domains.

The only solution which can stand a chance against new, adaptive malware strains such as Karkoff is a proactive traffic filtering solution, such as our Thor Foresight. This way, the safety of links and incoming traffic can be scanned and tested before your machine can actually connect to them and get infected.

The overall activities of the hacking group behind DNSpionage

Cybersecurity researchers (from Tallos) which focused exclusively on the activities of the DNSpionage campaign have pointed out that the hackers have been focusing on optimizing their activity for quite some time.

Since last November, they noticed that the group was using the Mimikatz technology in order to deploy credential stuffing attacks, various off-the-shelf administration tools for allowing them to crack a full access into the processes of the victim’s computer, some open-source hacking tools customized for their operations, as well as the Putty program in order to be able to dig tunnels within the target network.

Their ultimate goal is a multi-level approach to DNS hijacking attacks, so they can redirect victims’ traffic to their own servers.

Since February this year, the DNSpionage campaign seems to have enhanced its range of tools with new malware strains and the Karkoff malware is the most dangerous of these.

Continue Reading