Phone : +91 95 8290 7788 | Email :

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » DNSpionage campaign drops new .NET-based Karkoff malware to infect victims’ systems

DNSpionage campaign drops new .NET-based Karkoff malware to infect victims’ systems

  • The malware is delivered via an Excel document that contains malicious macros.
  • The spear phishing messages are sent to the specific targets chosen by the threat actor group.

Researchers at Cisco Talos detected a DNSpionage malware campaign in late 2018. It is believed that the same threat actor group has changed its tactics over time to improve the efficacy of its operations.

In April 2019, it has been found that the actors are using a new malware called ‘Karkoff’ to conduct DNSpionage campaigns.

What are the changes – According to the latest research by Cisco Talos, it has been discovered that the group has now created a new remote administration tool that supports HTTP and DNS communication.

In addition to this, the campaign also includes a new reconnaissance stage that enables the group to selectively choose its target. The actors are using a new .NET-based Karkoff malware designed to allow them to execute code remotely on compromised hosts.

How is the malware delivered – The malware is delivered via an Excel document that contains malicious macros. Here, the spear phishing messages are sent to the targets chosen by the group.

When the malicious macros are executed on an infected machine, it is renamed as ‘taskwin32.exe’ in order to avoid detection. Further, the name of the scheduled task designed to maintain persistence is also changed and renamed as ‘onedrive updated v10.12.5’.

The attackers have also improved the malware’s capability of hiding their activity by splitting API calls.

What are the activities of Karkoff malware – Karkoff first aims to drop a Windows batch file to execute WMI commands and obtain a list of machine’s running process. It then searches for antivirus products present on the machine before proceeding with the infection.

Once it customizes the action of the machine, the malware logs all the command it executes on the compromised systems by attaching timestamps.

“The executed commands are stored in this file (XORed with ‘M’) with a timestamp. This log file can be easily used to create a timeline of the command execution which can be extremely useful when responding to this type of threat. With this in mind, an organization compromised with this malware would have the opportunity to review the log file and identify the commands carried out against them,” the Cisco Talso researchers noted.

What’s the link – Researchers claim OilRig threat actor group is likely behind the DNSpionage campaign as well. The threat actor has leveled persistence attacks against organizations in the Middle East for many years. The group is using a variety of trojans, DNS Tunneling and spear phishing tactics to snare targets.

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India













What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.


Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.


Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : | Support Email :

Register & Request Quote | Submit Support Ticket