The cybercriminal group behind the infamous DNSpionage malware campaign has been found running a new sophisticated operation that infects selected victims with a new variant of the DNSpionage malware.
First uncovered in November last year, the DNSpionage attacks used compromised sites and crafted malicious documents to infect victims’ computers with DNSpionage—a custom remote administrative tool that uses HTTP and DNS communication to communicate with the attacker-controlled command and control server.
According to a new report published by Cisco’s Talos threat research team, the group has adopted some new tactics, techniques and procedures to improve the efficacy of their operations, making their cyber attacks more targeted, organised and sophisticated in nature.
Unlike previous campaigns, attackers have now started performing reconnaissance on its victims before infecting them with a new piece of malware, dubbed Karkoff, allowing them to selectively choose which targets to infect in order to remain undetected.
“We identified infrastructure overlaps in the DNSpionage and the Karkoff cases,” the researchers say.
During Reconnaissance phase, attackers gather system information related to the workstation environment, operating system, domain, and list of running processes on the victims’ machine.
“The malware searches for two specific anti-virus platforms: Avira and Avast. If one of these security products is installed on the system and identified during the reconnaissance phase, a specific flag will be set, and some options from the configuration file will be ignored,” the researchers say.
images from Hacker News