Posted: April 24, 2019

Karkoff Description

Karkoff is an updated version of DNSpionage, a backdoor Trojan that uses DNS tunneling for communicating with its threat actor's Command & Control server. Although it contains various, structural and feature-based changes, its payload's aim remains giving backdoor access to remote attackers for monitoring the system, controlling it, and collecting information. As defenses, let your anti-malware products eliminate Karkoff appropriately and monitor your DNS logs for possible signs of unsafe traffic.

DNSpionage Takes Up a New Name to Go with New Features

After compromising some of the fundamental pillars of the worldwide Web's very infrastructure, DNSpionage's threat actors are neither satisfied nor finished. A new version DNSpionage is deploying itself against similar targets around the Middle East, including the UAE and Lebanon. This version, Karkoff boasts of both additions and subtractions, for an overall, more-focused effort than that of its predecessor.

Karkoff, like DNSpionage, is a backdoor Trojan and uses similar, DNS exploit-based methods of hiding its C&C communications with its threat actors. Some of the alterations of interest that malware analysts could confirm in Karkoff include various changes to the disguises of its components. For example, the scheduled task that loads Karkoff is a fake updater for Microsoft's OneDrive backup service.

However, Karkoff's features aren't for hiding from users solely, but also, from their security solutions. These internal alterations consist of a change from a Wikipedia to a GitHub copycat C&C page, and a different configuration setup that's specifically for Avira and Avast-protected environments. It also removes its debugging mode, which could be a way of reducing its footprint. The overall result is a more streamlined and narrower-focused Trojan that's better at hiding than the DNSpionage of before.

Turning Karkoff's Spying Back against Itself

Besides all of its feature-oriented and structural changes, Karkoff's self-defenses include a scouting phase where the threat actors collect system information before making further decisions on how to proceed with attacking. However, the great irony is that one of its updated function can be helpful to any victims by 'spilling the beans' on its payload and behavior incredibly. A newly-utilized, self-logging feature will generate a file that contains a complete history of all of the attacks that Karkoff launches on the system. Users with access to the log (an 'MSEx_log.txt' in Windows\Temp) would have a treasure trove of data for helping determine the damages of Karkoff's infection.

While the wisdom of Karkoff's recording its behavior for posterity is questionable for any backdoor Trojan, it does nothing for disarming the severity of its attacks against already-compromised Windows computers. Most Windows environments with .NET Framework compatibility are at risk from Karkoff, just the same as with DNSpionage. Middle Eastern governments and corporations are at high risk.

Most security solutions should detect the network activity that this Trojan generates and identify its C&C. Beyond employing network-monitoring tools and protocols like strict firewalls, users can protect themselves by having anti-malware software available and updated for removing Karkoff correctly.

Karkoff is revealing about some of its features strangely and includes no obfuscation that prevents malware experts or the rest of the security industry, from analyzing its code. This Trojan update is a case of stealth that's concentrating on the victims and hoping that it can hide long enough to accomplish its goals.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Karkoff may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.