Karkoff Description

The Karkoff program is a harmful tool created by an Advanced Persistent Threat (APT) group that made a debut on the cyber espionage scene using the DNSpionage in November 2018. The Karkoff program is their second product that was discovered in February 2019. Unlike earlier attacks, the threat actors switched to using Excel documents with embedded macros, which were slightly different compared to the one used with the DNSpionage tool. The attackers use the Karkoff program for reconnaissance operations preceding a potential attack.

The Karkoff tool is delivered to systems via phishing emails that may look like internal company emails and include an MS spreadsheet file. The file installs the Karkoff malware to the 'msdonedrive' directory on Windows and loads it in the memory as 'taskwin32.exe.' The executable is now loaded with a scheduled task that is titled 'onedrive updater v10.12.5' corresponding to the latest version of Microsoft's OneDrive cloud solution. Once, the Karkoff Trojan is up and running it reports to the 'Command and Control' server with a log containing the following details: the OS version and the system architecture; the domain name; and a list of the running processes. The Karkoff Trojan can execute download & run commands, as well as go radio-silent for long periods in an attempt to remain undetected.

Interestingly, the actors behind Karkoff use low-quality domains for the command servers compared to their first campaign. The Karkoff malware is programmed to connect via HTTPS and DNS channels to the domain 'coldfart[.]com' that is likely to attract attention when IT security staff runs a protective security sweep. However, static detection of Karkoff is hindered because the attackers use split strings and obfuscated functions. Companies are advised to monitor outgoing network connections closely and track loaded modules rigorously to minimize the impact of potential attacks with the Karkoff Trojan.

Detection names for the Karkoff Trojan are listed below:

DFI - Suspicious PE
Trojan ( 0054a3bc1 )