Karkoff

By GoldSparrow in Malware

Translate To:

The Karkoff program is a harmful tool created by an Advanced Persistent Threat (APT) group that made a debut on the cyber espionage scene using the DNSpionage in November 2018. The Karkoff program is their second product that was discovered in February 2019. Unlike earlier attacks, the threat actors switched to using Excel documents with embedded macros, which were slightly different compared to the one used with the DNSpionage tool. The attackers use the Karkoff program for reconnaissance operations preceding a potential attack.

The Karkoff tool is delivered to systems via phishing emails that may look like internal company emails and include an MS spreadsheet file. The file installs the Karkoff malware to the 'msdonedrive' directory on Windows and loads it in the memory as 'taskwin32.exe.' The executable is now loaded with a scheduled task that is titled 'onedrive updater v10.12.5' corresponding to the latest version of Microsoft's OneDrive cloud solution. Once, the Karkoff Trojan is up and running it reports to the 'Command and Control' server with a log containing the following details: the OS version and the system architecture; the domain name; and a list of the running processes. The Karkoff Trojan can execute download & run commands, as well as go radio-silent for long periods in an attempt to remain undetected.

Interestingly, the actors behind Karkoff use low-quality domains for the command servers compared to their first campaign. The Karkoff malware is programmed to connect via HTTPS and DNS channels to the domain 'coldfart[.]com' that is likely to attract attention when IT security staff runs a protective security sweep. However, static detection of Karkoff is hindered because the attackers use split strings and obfuscated functions. Companies are advised to monitor outgoing network connections closely and track loaded modules rigorously to minimize the impact of potential attacks with the Karkoff Trojan.

Detection names for the Karkoff Trojan are listed below:

Artemis!5733AFE71BD0
DFI - Suspicious PE
Gen:Variant.Razy.477295
MSIL/Agent.BWH!tr
Malicious.55fcbe
TROJ_GEN.R002C0PD519
Trojan ( 0054a3bc1 )
Trojan.Agent!WbxuvxvWkUQ
Trojan:MSIL/Generic.8c7d41c0
Win32/Trojan.89a

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

Karkoff

Submit Comment

Trending

'YouPorn' Email Scam

Safe Search Eng

Findtheirreport.com

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen