What Is It?

Researchers from the Cisco Talos team previously released details of an attack they named DNSpionage in November 2018. This attack included a new remote access trojan (RAT) that used both HTTP and DNS traffic when communicating to its command and control server (C2). The option to utilize a DNS communication channel is controlled by a configuration setting to remove the possibility that C2 traffic will be detected and/or blocked by web proxies or web filtering software. In the initial attack, government entities in Lebanon and the UAE (United Arab Emirates) were targeted, in addition to a Lebanese airline.

Cisco Talos continued to track attacks by this group, observing changes in February 2019 and then in April 2019. They found that the attackers began using a new piece of backdoor malware which they have called Karfoff, based on a name they found in code. In February, the initial infection vector changed from a Microsoft Word document containing a malicious macro to a Microsoft Excel document, still utilizing a mostly identical malicious macro. As we’ve observed in other reports, attackers are not only building just new threats but adding deeper functionality to their threats. With Karfoff, the attackers added three new functions. First, the attackers added functionality to retrieve a list of processes running on the system and capture various basic system information. They also added very basic string obfuscation, enough to potentially stop Yara signatures from detecting the updated malware, but not to trouble analysts. Lastly, it also checks if the Avira or Avast legacy anti-virus products are installed. If they are, it alters some configuration values.

First seen in April, the Karkoff backdoor malware is written in Microsoft .NET, is relatively small in size and contains no anti-analysis techniques. Further evidence of a lack of sophistication in this early variant is that the log file kept by Karkoff uses the most basic of obfuscation techniques (a XOR with the character “M”), providing incident responders with a wealth of information of what actions the malware took while installed. Similarly, the C2 server names are hardcoded and the traffic is not encrypted, only base64-encoded and XOR’d with the value of 70 (which is hardcoded within the code). Karkoff is capable of uploading files, downloading and executing files and deleting the information it stores in the system registry.

How Does It Propagate?

The malware propagates via Microsoft Word documents containing malicious macros.

When/How Did BluVector Detect It?

BluVector’s patented Machine Learning Engine (MLE) detected all available samples. Regression testing has shown the samples would have been detected up to 26 months prior to their release.