Top Middle East Cyber Threat- 13 May 2019
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top cyber security threat our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
APT34 Kicks off new Karkoff Attack
In 2018, security researchers at Cisco Talos discovered a campaign, titled ‘DNSpionage’ which executed multiple attacks against organizations in the UAE. Recently the same threat actor, a group commonly referred to as APT34, appears now to be leveraging new tactics, techniques and procedures to improve the efficacy of their operations, and is now executing a campaign using malware known as ‘Karkoff’.
This new malware is being used primarily for reconnaissance though it also allows attackers to remotely execute arbitrary code on compromised hosts. The threat actor’s ongoing development of malware shows that the attacker continues to find new ways to avoid detection.
Karkoff is a variant of the Group’s previous DNSpionage malware so it is important to first understand that attack.
DNSpionage attacks were found to use a malware sample with malicious macros embedded in a Microsoft Excel document. It uses msdonedrive directory and renames the malware to “taskwin32.exe”. The scheduled task is then renamed to “onedrive updater v10.12.5”.
The malware supports HTTP and DNS communication to the C2 server. The HTTP communication is hidden in the comments of the HTML code. On initial execution, the malware drops a Windows batch file (a.bat) to execute a WMI command and obtain all the running processes on the victim’s machine. The malware also identifies the username and computer name of the infected system. Finally, it uses the NetWkstaGetInfo() API with the level 100 to retrieve additional info on the system.
This level returns information about the workstation environment, including platform-specific information, the name of the domain and the local computer, and information regarding the operating system. This information is key as it enables the malware to select potential victims only, while avoiding researchers or sandboxes.
Furthermore, the malware searches for two anti-virus platforms: Avira and Avast. If they are installed on the system and identified during the reconnaissance phase, a specific flag will be set and some options from the configuration file will be ignored.
The latest variant of this malware (Karkoff) was developed in .NET. It is lightweight compared to the previous versions and allows remote code execution from the C2 server. The malware is a Windows service named “MSExchangeClient:”.Karkoff supports HTTP and HTTPS communications.
The threat actor’s ongoing development of DNSpionage malware shows that the attacker continues to find new ways to avoid detection.
Links between DNSpionage, Karkoff and APT34:
Talos has identified infrastructure overlaps in the DNSpionage and the Karkoff cases.
Resolution History for the domain in Karkoff C2: “rimrun[.]com”
108.62.141[.]247 -> from 12/19/18 to 4/13/19
209.141.38[.]71 -> on 12/26/18
107.161.23[.]204 -> on 12/26/18
192.161.187[.]200 -> on 12/26/18
IP address from DNSpionage campaign from Nov 2018:
107.161.23[.]204 was used by 0ffice360[.]com on 9/21/18
209.141.38[.]71 was used by hr-wipro[.]com on 9/26/18
192.161.187[.]200 was used by 0ffice360[.]com on 9/21/18
Links to APT34/OilRig Data Leaks:
According to Cisco the recent APT34 / Oil Rig leak includes the ‘webmask_dnspionage’ repository. This repository contains scripts used to perform man-in-the-middle attacks.
The leak contained a C2 panel known as ‘Scarecrow’. The URL for the panel was identified as “*/Th!swasP@NEl”.
Also the PANEL_PATH variable of the DNSpionage C2 server was found to be “*/Th!swasP@NEl”.
The panel path of the leak and Django internal variables of the DNSpionage C2 server are remarkably similar. In addition, the data leaked in April 2019 highlighted Exchange systems as a target for persistence using WebShells. During recent investigations, Help AG has observed activity – that can be attributed to this threat actor – consistent with the targeting or leveraging of MS Exchange systems to obtain further advantage or persistence.
Recommendations and Remediation:
- Blacklist the attack’s Indicators of Compromise (IoCs) on your security appliances to help detect and prevent any malicious attempts made for the same.
- Implement multi-factor authentication on your domain’s administration portal.
- Search for SSL certificates related to your domain and revoke any malicious certificates.
- Periodically update all passwords for any user accounts that can change your organization’s DNS records.
- Audit public DNS records to verify that they are resolving to the intended locations.
- Exercise caution when receiving or accessing unsolicited, unexpected, or suspicious files/emails/URLs.
- Disable the execution of scripts on users’ endpoint devices or restrict execution to virtual environment if possible.
As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.