Pierluigi Paganini March 02, 2020

Experts from Cybaze/ Yoroi Zlab spotted a new sample of the Karkoff implant that was employed in past campaigns associated with Iran-linked APT34 group.Experts from Cybaze/ Yoroi Zlab spotted a new sample of the Karkoff implant that was employed in past campaigns associated with Iran-linked APT34 group.

Introduction

In November 2018, researchers from Cisco Talos tracked and detailed a “DNSEspionage” campaign against targets in Lebanon and UAE. At the time of the report, the threat actor carried out a cyber espionage campaign by redirecting DNS traffic from domains owned by the Lebanon government to target entities in the country.

In April 2019, Cisco Talos discovered evidence of the link between APT34 (codename Helix Kitten or OilRig) and the “DNSEspionage” operation. Talos analysts discovered several overlaps in the infrastructure employed by attackers and identified common TTPs. They tracked this new implant “Karkoff”.

Experts from Cybaze/ Yoroi Zlab, as part of ordinary Threat Intelligence activities, spotted a new sample which they believe to be an update of the Karkoff implant. It could prove that  APT34 is still active and threat actors used it in a new campaign that appears to be active at the time of writing. The APT group made some changes in its technique, tactics, and procedures, but the target is the same, the Lebanon Government.

In this campaign, the APT group may have compromised a Microsoft Exchange Server belonging to a Lebanon government entity, in fact, we found some evidence in the communication logic.

This new implant has some similarities with the samples of Karkoff involved in past campaigns, including:

• similar Macro structure
• .NET modular implant with similar logic
• exploit Microsoft Exchange Server as communication channel

Moreover, the new Karkoff implant implements a new reconnaissance logic in order to drop the final payload only to specific targets, gathering system information, the domain name, hostname and running Operating System.

Update

A few hours before this report has been publicly disclosed, malware researchers at the Italian cyber security firm Telsy also published their analysis.

Both reports are related to the same sample, but let me suggest reading both analyses to have a clear vision of the threat actors and all the technical details related to the implant. The report published by Telsy is available here: LINK.

Technical Analysis

Table 1. Sample information

The Malware is an Excel Document with a malicious macro embedded. The following image (Fig:1) shows the highlights of the extracted code. 

Fig.1. Malicious Macro: drop and execute monitor.exe

The macro extracts a custom base64 code from the body of the file and, after a decoding routine, it downloads an executable file into the following path “C:\Users\public\.Monitor\monitor.exe”. Persistence is assured by scheduling a new task named SystemExchangeService. The following image shows the task ubiety. 

Fig.2.Persistence with SystemExchangeService

The extracted  payload is summed up as follows: :

Fig.3.Static details of monitor.exe

The extracted payloads were not obfuscated at all. This made a simple and quick analysis.

As shown in the above figure, the creation date is on

Fig.4. details of compromised mail exchange server parameters

As the first step, as shown in Fig 4, the sample tries to connect to its own command and control server, which happens to be an Exchange mail server belonging to the Lebanon government. Once it connects, the C2 answers back with the list of available commands as attachments in a replied e-mail. Fig 5 shows the GetList function from where we might appreciate the eMail body decoding process. From the body, a custom encoded string is decoded and later it is interpreted as a command.

Fig.5. detail of GetList function responsible for getting the list of available commands as mail attachments

Following our analysis, we noticed the malware tries to connect back and forth to its C2 to get authorization and to share detailed information about the infected system. It used “UserAgent” of the exchange client. Fig 6 shows details on what is hijacked from the victim’s side.

Fig.6. details of Information stolen on the victim’s machine

Another evidence is the domain registration of the second command control: it has been registered on January, 27, probably indicating the date of the beginning of the new attack.

Fig.7. details of domain registration godoycrus[.com

Conclusions

APT34 is still active, and this campaign against the Lebanon government demonstrates it. The new version of the Karkoff malware is the demonstration that the Iran-linked APT34 cyberespionage group continues to improve its arsenal. The sample involved in this campaign implements new reconnaissance capabilities, it implements a covert and effective C2 communication channel through the use of the Microsoft Exchange Protocol.

The Group likely exploited or brute-forced a Lebanon related mail account with another tool of its arsenal, the JASON tool. The Jason tool was leaked at the end of 2019, it could be used by attackers to carry out bruteforce attacks on exchange servers.

Technical details about the Karkoff implant, including Indicators of Compromise (IoCs) and Yara rules, are reported in the analysis published by researchers at Cybaze-Yoroi ZLab.

Pierluigi Paganini

(SecurityAffairs – malware, Karkoff)

[adrotate banner=”5″]

[adrotate banner=”13″]