{ "Event": { "analysis": "2", "date": "2019-04-24", "extends_uuid": "", "info": "OSINT - DNSpionage brings out the Karkoff", "publish_timestamp": "1556104895", "published": true, "threat_level_id": "3", "timestamp": "1556104870", "uuid": "5cc023e7-9c7c-418e-b908-4d46950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"DNSpionage\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"DNSpionage\"", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": false, "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": false, "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:tool=\"Karkoff\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556095991", "to_ids": false, "type": "link", "uuid": "5cc023f7-8650-4b3b-b631-4d52950d210f", "value": "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556096012", "to_ids": false, "type": "text", "uuid": "5cc0240c-fb80-4eb2-99bb-4040950d210f", "value": "In November 2018, Cisco Talos discovered an attack campaign, called DNSpionage, in which threat actors created a new remote administrative tool that supports HTTP and DNS communication with the attackers' command and control(C2). Since then, there have been several other public reports of additional DNSpionage attacks, and in January, the U.S. Department of Homeland Security issued an alert warning users about this threat activity.\r\n\r\nIn addition to increased reports of threat activity, we have also discovered new evidence that the threat actors behind the DNSpionage campaign continue to change their tactics, likely in an attempt to improve the efficacy of their operations. In February, we discovered some changes to the actors' tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware. In April 2019, we also discovered the actors using a new malware, which we are calling \"Karkoff.\"\r\n\r\nThis post will cover the aforementioned DNSpionage updates, the discovery of the Karkoff malware and an analysis of the recent Oilrig malware toolset leak \u00e2\u20ac\u201d and how it could be connected to these two attacks." }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "timestamp": "1556096043", "to_ids": true, "type": "sha256", "uuid": "5cc0242b-2ba8-419f-8d14-42e7950d210f", "value": "5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "timestamp": "1556096043", "to_ids": true, "type": "sha256", "uuid": "5cc0242b-e1cc-4aec-a163-471f950d210f", "value": "6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "timestamp": "1556096043", "to_ids": true, "type": "sha256", "uuid": "5cc0242b-1ac0-448a-a3c9-45ff950d210f", "value": "b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "timestamp": "1556096043", "to_ids": true, "type": "sha256", "uuid": "5cc0242b-d758-44d4-9614-4759950d210f", "value": "cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5" }, { "category": "Network activity", "comment": "C2 server", "deleted": false, "disable_correlation": false, "timestamp": "1556096086", "to_ids": true, "type": "domain", "uuid": "5cc02456-7350-4263-bbc9-4205950d210f", "value": "coldfart.com" }, { "category": "Network activity", "comment": "C2 server", "deleted": false, "disable_correlation": false, "timestamp": "1556096086", "to_ids": true, "type": "domain", "uuid": "5cc02456-7a84-49a2-b073-4ea8950d210f", "value": "rimrun.com" }, { "category": "Network activity", "comment": "C2 server", "deleted": false, "disable_correlation": false, "timestamp": "1556096086", "to_ids": true, "type": "domain", "uuid": "5cc02456-b618-4f07-9281-4404950d210f", "value": "kuternull.com" }, { "category": "Network activity", "comment": "Attribute #4346152 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1556096170", "to_ids": false, "type": "ip-src", "uuid": "5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9", "value": "108.62.141.247" }, { "category": "Network activity", "comment": "Attribute #4346153 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1556096185", "to_ids": false, "type": "ip-src", "uuid": "5cc024b9-0c94-42a4-820b-1bc4e387cbd9", "value": "74.118.138.192" }, { "category": "Payload delivery", "comment": "DNSpionage XLS document", "deleted": false, "disable_correlation": false, "timestamp": "1556097659", "to_ids": true, "type": "sha256", "uuid": "5cc02a7b-08f8-493b-b253-247f950d210f", "value": "2fa19292f353b4078a9bf398f8837d991e383c99e147727eaa6a03ce0259b3c5" }, { "category": "Payload delivery", "comment": "DNSpionage", "deleted": false, "disable_correlation": false, "timestamp": "1556097713", "to_ids": true, "type": "sha256", "uuid": "5cc02ab1-70b0-446f-8b28-2497950d210f", "value": "e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1556097770", "uuid": "3148bbb8-f76e-4556-b973-3dea9cf89820", "ObjectReference": [ { "comment": "", "object_uuid": "3148bbb8-f76e-4556-b973-3dea9cf89820", "referenced_uuid": "5f8b1fcb-d5e4-4e95-adc0-253f765c8f61", "relationship_type": "analysed-with", "timestamp": "1556097771", "uuid": "5cc02aeb-951c-403c-a129-4dfc950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1556096043", "to_ids": true, "type": "md5", "uuid": "0f2665a4-fc41-4752-892a-01b8758b8296", "value": "a583430c9c504fb216c9f976401ecd13" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1556096043", "to_ids": true, "type": "sha1", "uuid": "7796fc3f-7861-44e1-92b6-51354380eed4", "value": "cd3b6c517227ad356264ff076cf0ea106b67fc13" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1556096043", "to_ids": true, "type": "sha256", "uuid": "18704761-4e2d-4333-ac43-faefbe333694", "value": "cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1556097771", "uuid": "5f8b1fcb-d5e4-4e95-adc0-253f765c8f61", "Attribute": [ { "category": "Other", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1556096043", "to_ids": false, "type": "datetime", "uuid": "cb98656d-453e-40aa-b337-e83a5c473a20", "value": "2019-04-24T08:58:49" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1556096043", "to_ids": false, "type": "link", "uuid": "28a8b196-6a06-44d6-962b-6efc4d4f3945", "value": "https://www.virustotal.com/file/cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5/analysis/1556096329/" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1556096043", "to_ids": false, "type": "text", "uuid": "b29d31d3-c624-4c4c-99cd-626101e0d47b", "value": "38/71" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1556097771", "uuid": "6393b267-5ff7-4204-85cf-709530bc110d", "ObjectReference": [ { "comment": "", "object_uuid": "6393b267-5ff7-4204-85cf-709530bc110d", "referenced_uuid": "5baaf36e-74f0-4e6b-b18a-377bc301867e", "relationship_type": "analysed-with", "timestamp": "1556097772", "uuid": "5cc02aec-4960-420f-a0ff-4bc7950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "DNSpionage", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1556097713", "to_ids": true, "type": "md5", "uuid": "067f3c26-1fb0-402f-8e3d-d3c5f9188e75", "value": "530606b66bcd5a776f2cdecb34ee0fd1" }, { "category": "Payload delivery", "comment": "DNSpionage", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1556097713", "to_ids": true, "type": "sha1", "uuid": "1078e410-7fd9-4d8f-8bae-0328d8710bf9", "value": "72ada4db1c70214e19eece2021669d95b94c0d4f" }, { "category": "Payload delivery", "comment": "DNSpionage", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1556097713", "to_ids": true, "type": "sha256", "uuid": "b1899733-1587-4835-9410-d21cc9b0cb27", "value": "e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1556097771", "uuid": "5baaf36e-74f0-4e6b-b18a-377bc301867e", "Attribute": [ { "category": "Other", "comment": "DNSpionage", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1556097713", "to_ids": false, "type": "datetime", "uuid": "6e2a7b92-867b-4c11-8b30-b925221ce51a", "value": "2019-04-24T09:05:37" }, { "category": "Payload delivery", "comment": "DNSpionage", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1556097713", "to_ids": false, "type": "link", "uuid": "9eda0fba-ebc8-494e-81a2-3c45135c591e", "value": "https://www.virustotal.com/file/e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8/analysis/1556096737/" }, { "category": "Payload delivery", "comment": "DNSpionage", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1556097713", "to_ids": false, "type": "text", "uuid": "ee3f4732-30c5-49fc-9b1d-a6a732cb4f42", "value": "48/69" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1556097771", "uuid": "52ca9602-5ef6-4de3-b528-058d33844ea3", "ObjectReference": [ { "comment": "", "object_uuid": "52ca9602-5ef6-4de3-b528-058d33844ea3", "referenced_uuid": "993871f0-b786-4813-9811-7f60eb385014", "relationship_type": "analysed-with", "timestamp": "1556097772", "uuid": "5cc02aec-b188-4824-93a8-4b2a950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1556096043", "to_ids": true, "type": "md5", "uuid": "a873465c-a261-4ee6-a6d5-abb0a34a4faf", "value": "a37703a0d08996a5fc04db52b71b9bcd" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1556096043", "to_ids": true, "type": "sha1", "uuid": "4c448f2e-3aeb-451d-b7d7-5a37c99218c1", "value": "7c7e1179eb3cd9effa92f303dd5e45ba881db15d" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1556096043", "to_ids": true, "type": "sha256", "uuid": "ad3506fa-281e-4cbc-9e05-ef1f9f1ca703", "value": "6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1556097771", "uuid": "993871f0-b786-4813-9811-7f60eb385014", "Attribute": [ { "category": "Other", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1556096043", "to_ids": false, "type": "datetime", "uuid": "a0e51f81-2cc5-438d-96d0-de19d5e93442", "value": "2019-04-24T07:39:13" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1556096043", "to_ids": false, "type": "link", "uuid": "ccb7b733-4e20-4840-9ee4-be4b8451f1e1", "value": "https://www.virustotal.com/file/6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11/analysis/1556091553/" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1556096043", "to_ids": false, "type": "text", "uuid": "c6600e9e-5bf0-402c-8666-df0823154fe9", "value": "39/66" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1556097771", "uuid": "9daaf5c9-c7e0-444d-b551-ff231e16521a", "ObjectReference": [ { "comment": "", "object_uuid": "9daaf5c9-c7e0-444d-b551-ff231e16521a", "referenced_uuid": "fd6fe17b-18a9-4729-9276-796667da59b6", "relationship_type": "analysed-with", "timestamp": "1556097772", "uuid": "5cc02aec-8ed4-4f7b-ba4a-49fa950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1556096043", "to_ids": true, "type": "md5", "uuid": "8fa12a0b-e53d-4c01-ab8f-3b3ad668f236", "value": "5733afe71bd0a32328d6ed9978260fa4" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1556096043", "to_ids": true, "type": "sha1", "uuid": "92b95038-5b7a-4e5e-94e3-bdfaf95c62c2", "value": "5dbaaf4b338471ad58065fcdf335673977b2b261" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1556096043", "to_ids": true, "type": "sha256", "uuid": "179968a4-3bff-4c98-803c-300f44a0b9fc", "value": "5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1556097771", "uuid": "fd6fe17b-18a9-4729-9276-796667da59b6", "Attribute": [ { "category": "Other", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1556096043", "to_ids": false, "type": "datetime", "uuid": "287255d9-5d0f-49f7-afd9-256da7290db1", "value": "2019-04-24T07:39:16" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1556096043", "to_ids": false, "type": "link", "uuid": "d2ae94de-8869-48a0-bff0-acf3465c6a74", "value": "https://www.virustotal.com/file/5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c/analysis/1556091556/" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1556096043", "to_ids": false, "type": "text", "uuid": "7c4854e3-0c44-4143-b133-8273c30bf122", "value": "42/71" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1556097771", "uuid": "1fc50c0d-6a22-4c8f-9823-229fb2334f2e", "ObjectReference": [ { "comment": "", "object_uuid": "1fc50c0d-6a22-4c8f-9823-229fb2334f2e", "referenced_uuid": "71ee7c63-f4fa-463e-8a7d-054b9920e0a3", "relationship_type": "analysed-with", "timestamp": "1556097772", "uuid": "5cc02aec-de4c-4c85-8c9c-4c6a950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1556096043", "to_ids": true, "type": "md5", "uuid": "5da89e65-dfd0-4542-a839-2807e8de65eb", "value": "85a3a5f55fcbe63d2181cfa753f35fe1" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1556096043", "to_ids": true, "type": "sha1", "uuid": "1d1548bb-1a6f-4fad-96f1-3d4038a0e721", "value": "d9844a1845446367822944464ba65965b1b70c4f" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1556096043", "to_ids": true, "type": "sha256", "uuid": "8989c2b0-f677-4226-b088-e396cd7e5f24", "value": "b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1556097771", "uuid": "71ee7c63-f4fa-463e-8a7d-054b9920e0a3", "Attribute": [ { "category": "Other", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1556096043", "to_ids": false, "type": "datetime", "uuid": "4ab8fa22-de5b-4d45-b328-a28f6ca4bc4f", "value": "2019-04-24T07:39:18" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1556096043", "to_ids": false, "type": "link", "uuid": "2490a445-4913-49ad-9366-9cecf26b7505", "value": "https://www.virustotal.com/file/b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04/analysis/1556091558/" }, { "category": "Payload delivery", "comment": "Karkoff sample", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1556096043", "to_ids": false, "type": "text", "uuid": "3d31e031-8726-4941-a004-143375bd7aa0", "value": "41/65" } ] } ] } }