Home Malware Programs Malware Karkoff

Karkoff

Posted: April 24, 2019

Karkoff is an updated version of DNSpionage, a backdoor Trojan that uses DNS tunneling for communicating with its threat actor's Command & Control server. Although it contains various, structural and feature-based changes, its payload's aim remains giving backdoor access to remote attackers for monitoring the system, controlling it, and collecting information. As defenses, let your anti-malware products eliminate Karkoff appropriately and monitor your DNS logs for possible signs of unsafe traffic.

DNSpionage Takes Up a New Name to Go with New Features

After compromising some of the fundamental pillars of the worldwide Web's very infrastructure, DNSpionage's threat actors are neither satisfied nor finished. A new version DNSpionage is deploying itself against similar targets around the Middle East, including the UAE and Lebanon. This version, Karkoff boasts of both additions and subtractions, for an overall, more-focused effort than that of its predecessor.

Karkoff, like DNSpionage, is a backdoor Trojan and uses similar, DNS exploit-based methods of hiding its C&C communications with its threat actors. Some of the alterations of interest that malware analysts could confirm in Karkoff include various changes to the disguises of its components. For example, the scheduled task that loads Karkoff is a fake updater for Microsoft's OneDrive backup service.

However, Karkoff's features aren't for hiding from users solely, but also, from their security solutions. These internal alterations consist of a change from a Wikipedia to a GitHub copycat C&C page, and a different configuration setup that's specifically for Avira and Avast-protected environments. It also removes its debugging mode, which could be a way of reducing its footprint. The overall result is a more streamlined and narrower-focused Trojan that's better at hiding than the DNSpionage of before.

Turning Karkoff's Spying Back against Itself

Besides all of its feature-oriented and structural changes, Karkoff's self-defenses include a scouting phase where the threat actors collect system information before making further decisions on how to proceed with attacking. However, the great irony is that one of its updated function can be helpful to any victims by 'spilling the beans' on its payload and behavior incredibly. A newly-utilized, self-logging feature will generate a file that contains a complete history of all of the attacks that Karkoff launches on the system. Users with access to the log (an 'MSEx_log.txt' in Windows\Temp) would have a treasure trove of data for helping determine the damages of Karkoff's infection.

While the wisdom of Karkoff's recording its behavior for posterity is questionable for any backdoor Trojan, it does nothing for disarming the severity of its attacks against already-compromised Windows computers. Most Windows environments with .NET Framework compatibility are at risk from Karkoff, just the same as with DNSpionage. Middle Eastern governments and corporations are at high risk.

Most security solutions should detect the network activity that this Trojan generates and identify its C&C. Beyond employing network-monitoring tools and protocols like strict firewalls, users can protect themselves by having anti-malware software available and updated for removing Karkoff correctly.

Karkoff is revealing about some of its features strangely and includes no obfuscation that prevents malware experts or the rest of the security industry, from analyzing its code. This Trojan update is a case of stealth that's concentrating on the victims and hoping that it can hide long enough to accomplish its goals.

Loading...