Cyberkriminelle der gennemført DNSpoinage kampagne, bevæbnet nu med ny malware-software

Cyberkriminelle gruppe, der er ansvarlig for DNSpionage drift blev mere selektiv i valget af ofre og bevæbnet sig med ny malware Karkoff at forbedre effektiviteten af ​​deres cyberangreb.

ENccording to FireEye, DNSpionage campaing begyndte i slutningen af ​​april 2017 og for det ansvarlige cyberkriminelle, der virker i interesser iranske regering.

I de tidligere angreb, with the use of fake websites and DNS breaks, intruders redirected traffic from legitimate domains on malware ones, for the latter were used free digital certificates Let’s Encrypt.

Now group armed with new instrument for remote administering with support of connection with C&C servers through HTTP and DNS, researchers from Cisco Talos.

Since release of Cisco Talos first report about DNSpionage in the end of 2018, cybercriminals enhanced their tactic.

“We discovered some changes to the actorstactics, teknikker og procedurer (ttps), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware.”, – Cisco Talos researchers reported.

With the help of espionage methods, criminals manage to bypass protection and create digital fingerprints of system they attack.

Criminals select their victims very carefully and attack them with the use of targeted fishing. They send their victims emails with attached Microsoft Word and Excel documents that contain malware macros. During the attack, malware programs through the macros change their names for «taskwin32.exe» and create planned task «onedrive updater v10.12.5» for ensuring that malware will persist in a system.

DNSpionage
In DNSpionage, upon opening the Excel document, users are greeted with the insult, “haha you are donkey [sic].” The broken English suggests the actor is unlikely a native English speaker.

This month researchers firstly detected in the arsenal of the group malware program on .Net under the name Karkoff. They say that malware is “lightweighted” and needs remote performing through C&C server.

alligevel, Karkoff possesses one interesting feature. Malware generates journal file where are stores all performed commands with time marks. Så, with the use of this journal Karkoff victims can check what and when happened certain events.

Kilde: https://blog.talosintelligence.com

Om Trojan Killer

Carry Trojan Killer Portable på din memory stick. Vær sikker på, at du er i stand til at hjælpe din pc modstå eventuelle cyber trusler, hvor du går.

Tjek også

MageCart på Heroku Cloud Platform

Forskere har fundet flere MageCart Web Forplove On Heroku Cloud Platform

Forskere ved Malwarebytes rapporteret om at finde flere MageCart web skummere på Heroku cloud-platform …

Android Spyware CallerSpy

CallerSpy spyware masker som en Android chat applikation

Trend Micro eksperter opdagede malware CallerSpy, hvilke masker som en Android chat program og, …

Skriv et svar