Explore the capabilities of Oracle Cloud Infrastructure (OCI) and how it revolutionizes business operations with unmatched scalability, security, and performance. Learn how Simple Logic helps businesses harness OCI for seamless cloud migration, cost optimization, and IT modernization. Unlock the true potential of your business with OCI today! 🚀☁️

Unlock Oracle ATG Commerce at Alt Digital Technologies

Oracle ATG Commerce unlocks any business enhanced revenue streams, solid delivery of positive customer experience, and real-time customer experiences. Here are four essential things that your business can benefit from.

1. Customer Experience: Advanced targeting capabilities ensure that appropriate experiences are provided to every customer. 2. Omnichannel Support: Web, mobile, and in-store functions are combined for a seamless shopping experience. 3. Scalability for Business Growth: As your business grows, so does Oracle ATG Commerce with its abilities to manage extremely high traffic and transactions. 4. Data-Driven Insights: Use the customer data to make smarter marketing and sales decisions.

Are you ready for change? Let Oracle ATG Commerce make your business transform. Consult Alt Digital Technologies to set up success. Call now!

#oracle #atg #oraclecommerce #atgcommerce #oracleatgcommerce #services #oracleservices #atgservices #atgcommerceservices #customerexperience #digitaltransformation #ecommerce

Microsoft Dynamics Services: Empowering Businesses in Pune, Noida, Delhi, and UAE

In the thriving tech hubs of Pune, Noida, Delhi, and the dynamic markets of the UAE, Microsoft Dynamics services are revolutionizing how businesses manage their operations, customer relationships, and overall growth.

Local Expertise and Global Reach:

Tectura India: As a premier Microsoft partner, Tectura brings deep expertise in Microsoft Dynamics service in Pune. With over 2,000 client engagements, they ensure organizations in Noida and beyond get the highest level of attention and results from Microsoft technology.

Trident Info: A reputed Microsoft Dynamics 365 partner in India and the UAE, Trident Info specializes in Dynamics 365 (AX), Azure, Power BI, and LS Retail.

Read the complete microblog here:-

Microsoft Dynamics Services: Empowering Businesses in Pune, Noida, Delhi, and UAE | by Oracleservices | May, 2024 | Medium

10 Key Differences Between Oracle Fusion and Oracle Cloud

CIOs and CISOs are often found discussing the “next big move”. With a focus on cost-cutting and process efficiency improvement, these key stakeholders are leaving no stone unturned. From migrating their physical servers to oracle fusion applications to adopting secure coding practices, the CIOs are putting the best foot forward.

On the contrary, Oracle as an industry leader is busy building products that match the need of enterprises without putting a hole in their pockets. With the launch of Oracle Fusion, the organization has changed the game. Unlike other traditional cloud services, this new product is not limited to hosting files on the cloud, it offers access to additional tools that simplify business processes and brings efficiency.

Developed to grab the small-medium business market, Oracle Fusion is a family of software applications that saves SMBs from going extravagant on tool licensing and renewals.

Oracle Fusion is generally divided into two entities:

Oracle Fusion Middleware: Offers access to qualified software architectures and state-of-the-art hardware to help businesses around complex processes effectively.

Oracle Fusion Applications: This entity consists of applications used by Fusion users to simplify complex processes. It includes tools like BPM, CRM, GRC, and HCM.

While Fusion is being estimated as the prodigy, Oracle Cloud continues to be everyone’s favorite. The latter offers access to exceptional storage, database, and computing capabilities.

With Oracle Cloud, businesses can free themselves from the worry of handling physical servers. The product was built to help businesses adopt the next big thing in tech and the release of newer versions like EBS R12 have only strengthened the expansion.

With the release of the new Fusion version, customers are a little skeptical; they are unable to identify the best-suited tool for themselves. Going forward we will be discussing key differences between the two tools to facilitate improved decision making.

Here is the list of 10 major differences between Oracle Fusion & Oracle Cloud

Oracle Fusion tool is the next-generation business application and sooner or later, it is likely to turn all existing Oracle products redundant. While Oracle cloud has released newer versions like EBS R12 but they are nowhere in comparison against fusion’s capabilities.

The whizz-kid Fusion offers access to the best of Oracle tools whereas the former versions from the organization only provide access to computation, storage, and networking capabilities.

The Oracle Fusion is more efficient since it follows the SaaS model, where businesses can rely on service-oriented architecture and access all quality tools uninterrupted. The older paradigm is nowhere close to the capabilities of the new tool.

Oracle middleware services are helping enterprises achieve their planned cost-efficiency by reducing expenditure on software architecture. Oracle cloud still demands users to spend on software and hardware extensively.

The Fusion version offers an exceptional user experience, innovative, rich, and improved framework. The tool is also equipped with Web 2 features like RSS Feeds, rags, and social media, which are yet to be a possibility for users of Oracle EBS 12.

Fusion tools from the house of Oracle are offering access to new and improved UI layouts, which are not available in other Oracle products. UI layouts including:

Global Region, which is always present and consistent.

Task Region to support important tasks.

Location Region to support easier transaction entry & management.

For the first time, Oracle has introduced Analytics. The new dashboard provides access to all requisite information leading to improved and faster decision making. All actions performed can be tracked, measured, and analyzed from here. Dashboards are unavailable in former versions.

Oracle Cloud has an advantage over Oracle Fusion since the latter doesn’t offer functionalities like manufacturing and call centers; the Fusion version also focuses a lot on horizontal applications instead of industry solutions, which gives the older versions an edge. The cloud version has over the latest product is Encumbrance.

In the new improved tool, users can move configuration across the instances, which was not possible with previous offerings from Oracle. Also, the newer tool doesn’t require creating multiple COA.

Oracle Fusion Accounting Hub is an exceptional addition, which is not available in previous tools. Hyperion Financial Management is also embedded in the Fusion version, which is a huge benefit for organizations. It saves costs, improves efficiency, and adds speed to all financial processes.

End Thought

Oracle JD Edwards services from Epiq has a demonstrated history, where the organization has helped other businesses establish a system and streamline their existing processes to achieve efficiency like never before. With Epiq’s affordable Oracle consulting services, businesses can get ready for running processes on automatic mode. The support guarantees speed improvement, process revamps without disturbing the day-to-day functionalities and with minimum downtime.

We offer the right Oracle Cloud Application service ensuring perfection, growth, and productivity at every stage to delivery quality, drive your growth innovation, and success. . More information visit our website:https://www.givemexpert.com

Oracle commerce services - Best oracle ecommerce developer - SynergyTop

How to Migrate Oracle Commerce On-Premise to Oracle Commerce Cloud? Write to us at [email protected] to know about how you can leverage your OCC Ecommerce platform. At SynergyTop we provide best oracle commerce services as we have best oracle ecommerce developer.

Data migration Service! SM Consultant offer the right Data Migration consulting service ensuring perfection, growth, and productivity at every stage to delivery quality. Drive your growth, innovation, and success with our Data Migration consulting Drop us a query now itself.. Phone: US # +1-650-585-2312       India # +91.7799196622 [email protected] Visit our website:https://smconsultant.com/ Visit page:https://smconsultant.com/service/data-migration/

Oracle ERP Integration

bTranz Technological Solutions a company professionally managed by team of highly experienced technocrats having over a decade of experience. Our innovative, qualified and experienced team brings together knowledge, experience and processes which enables us to deliver a solution which is the best value proposition for our customers.

https://btranz.com/contact.html

EDCS is one of the Top Staffing Agency in Malaysia, understands the needs of your company & Contract Staffing Companies in Malaysia. Other Services like SAP Services, Cloud Services, Oracle Services, Database and Infrastructure Services.

𝐂𝐥𝐨𝐮𝐝 𝐒𝐩𝐚𝐜𝐞 𝐋𝐋𝐂: 𝐘𝐨𝐮𝐫 𝐓𝐫𝐮𝐬𝐭𝐞𝐝 𝐎𝐫𝐚𝐜𝐥𝐞 𝐒𝐞𝐫𝐯𝐢𝐜𝐞 𝐏𝐫𝐨𝐯𝐢𝐝𝐞𝐫 𝐢𝐧 𝐭𝐡𝐞 𝐔𝐒 𝐒𝐭𝐚𝐟𝐟𝐢𝐧𝐠 𝐌𝐚𝐫𝐤𝐞𝐭

Cloud Space LLC is a leading Oracle service provider in the US staffing market. With our extensive experience and expertise in Oracle technologies, we offer comprehensive solutions to meet the diverse needs of businesses across various industries.

As an Oracle service provider, we understand the critical role that Oracle systems play in the success of organizations. Our team of highly skilled Oracle consultants is proficient in implementing, optimizing, and managing Oracle applications, databases, and infrastructure. We work closely with our clients to analyze their requirements and provide tailored solutions that align with their business goals.

One of our key strengths lies in our deep knowledge of the US staffing market. We recognize the unique challenges faced by staffing companies, such as managing large volumes of data, ensuring compliance with regulations, and streamlining recruitment processes. By leveraging Oracle's robust suite of staffing solutions, we help our clients enhance operational efficiency, improve candidate sourcing and management, and drive overall business growth.

𝐀𝐭 𝐂𝐥𝐨𝐮𝐝 𝐒𝐩𝐚𝐜𝐞 𝐋𝐋𝐂, 𝐰𝐞 𝐨𝐟𝐟𝐞𝐫 𝐚 𝐰𝐢𝐝𝐞 𝐫𝐚𝐧𝐠𝐞 𝐨𝐟 𝐎𝐫𝐚𝐜𝐥𝐞 𝐬𝐞𝐫𝐯𝐢𝐜𝐞𝐬, 𝐢𝐧𝐜𝐥𝐮𝐝𝐢𝐧𝐠:

𝐎𝐫𝐚𝐜𝐥𝐞 𝐈𝐦𝐩𝐥𝐞𝐦𝐞𝐧𝐭𝐚𝐭𝐢𝐨𝐧: We assist in the seamless implementation of Oracle applications, ensuring a smooth transition and minimal disruption to your business operations.

𝐃𝐚𝐭𝐚𝐛𝐚𝐬𝐞 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭: Our experts manage and optimize Oracle databases, ensuring optimal performance, data integrity, and security.

𝐀𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐒𝐮𝐩𝐩𝐨𝐫𝐭: We provide comprehensive support and maintenance services for Oracle applications, ensuring they are running efficiently and meeting your business needs.

𝐂𝐥𝐨𝐮𝐝 𝐌𝐢𝐠𝐫𝐚𝐭𝐢𝐨𝐧: We help you migrate your Oracle systems to the cloud, enabling you to leverage the scalability, flexibility, and cost-efficiency of cloud computing.

𝐂𝐮𝐬𝐭𝐨𝐦 𝐃𝐞𝐯𝐞𝐥𝐨𝐩𝐦𝐞𝐧𝐭: Our team can develop customized Oracle solutions to address your unique business requirements, enhancing your operational effectiveness.

CloudSpaceLLC #OracleServices #ITConsulting #StaffingSolutions #CloudTechnology #BusinessEfficiency #DataManagement #CustomizedSolutions #CloudMigration #TechnologyPartnership #OperationalExcellence #oracle

Discover how Simple Logic transforms Oracle Cloud Infrastructure (OCI) deployments! From seamless migrations to enhanced performance and cost efficiency, we offer expert solutions to unlock the full potential of OCI for your business. Ready to elevate your cloud experience? Explore the possibilities with Simple Logic! ☁️🚀

Give a makeover to your online storefront with Oracle Commerce

If you want to be competitive, you need to deliver an engaging and seamless experience to your customers. Oracle Commerce is a solution that can help you transform your e-commerce platform. Our certified Oracle Commerce developers are proficient in providing user-friendly, uninterrupted, and engaging shopping experience to your customers.

What you can expect from us for Oracle Commerce development services:

Digital commerce strategy

Streamlined integration

Customized customer experiences

Scalable solutions for enhanced performance

Our ATG developers will help you on every step of your digital commerce journey. We will ensure your online store runs smoothly. Let’s talk how Oracle ATG Commerce can help you standout.

Talk to us now: https://www.altdigital.tech/about-us/contact-us

#oracle #oraclecommerce #atg #atgcommerce #oracleatgcommerce #oracleservices #oraclecommerceservices #oraclecommercedevelopment #oracledevelopers #oraclecomercedevelopers #atgdevelopers

Ashunya Provides Best Oracle Service in USA

Counting on a reliable Oracle Service in USA is invaluable and that's exactly what Ashunya provides. We are proud to have experienced professionals who are well-versed in Oracle technology and can provide the best service and solutions for your business. With their expertise and commitment, you can rest assured that your Oracle needs will be efficiently handled! Content Us👇 📞: 7142690252 Email: [email protected] Visit us: https://www.ashunya.com/ #ashunya #oracleservice #oracletechnology #oraclecloud #oracle #cloud #oraclecloudinfrastructure #cloudcomputing #oci #aws #oracleerp #oraclelinux #oraclevm #thecloudbootcamp #database #dataanalytics #sql #oracledatabase #java #it #informationtechnology #itjobs #javascript #plsql #javadeveloper #itprogrammingjobs #microsoftazure #developer #oraclefusion #qatester #autonomousdatabase

How to Remove Oracle services from Windows

If you have uninstall the Oracle software from your system, but, the services are not removed. This resulted, when you are trying to install oracle back and trying to configure your Instance as old name is not allowed. Method1:To remove OracleService , go to the command prompt and type:oradim -delete -sid where SID is the sid of your database, as it appears when you type net start | more (you should get an "OracleServiceSID")Method2:If you have the resource kit, you can use delsrv.exeto remove the listener service.If you don't have the resource kit, you can download delsrv.exe from Microsoft Support: http://www.microsoft.com/windows2000/tec…Method3:Go to Registry (Type regedit on RUN)Take a backup of Registry. (For the backup Click on file menu on Registry and export your registry backup any location so whenever required you can import your old registry.)Now go to registry HKEY_LOCAL_MACHINEThen go to system –> current control set –> servicesFrom there you can remove oracle services (directly selecting and pressing delete) Manually removing all Oracle Components and services from your systemThese instructions remove all Oracle components, services, and registry entries from your computer. In addition, any database files in the subdirectories under ORADATA and oracle network configuration files, user made scripts or any other stored scripts are also removed.WARNING: It is not recommended, remove all Oracle components from your computer manually only as a last option. Exercise extreme care when removing registry entries. Removing incorrect entries can severely compromise your computer.On Windows NT/Windows 2000/Windows XP:1. Login with Administrator Privilege user.2. Then first stop all the running Oracle services. To list the services either goes to Control Panel > Services or type in RUN services.msc then if any oracle services exist have the status started simply right click on the services and press stop.3. Now start the registry just type on RUN regedit and Go to the HKEY_LOCAL_MACHINESOFTWAREORACLE

Note the value of the key INST_LOC, this is the location of the Oracle Universal Installer. The default location is C:Program FilesOracleInventory. If this value is different, make note of it, will be deleted later or Delete this ORACLE key.From HKEY_LOCAL_MACHINESOFTWAREODBC remove all keys related with the "Oracle ODBC Driver" From HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices remove all keys that begin with ORACLE or ORAWEB.From HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogApplication remove all keys that begin with ORACLE.From HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstall remove any entries related to Oracle.From HKEY_CLASSES_ROOT, remove all keys that begin with Oracle, OraPerf or OraoleDB4. Do not forget to Clean up the environment settings. Go to Control Panel > System > Environment tab check out the below screenshot.

Click on the variable PATH in order to modify the value– Check if the %ORACLE_HOME% was installed, remove this %ORACLE_HOME%bin path.– Check if JRE was installed by Oracle, remove the JRE path.– Check if there is a CLASSPATH variable make note, then delete it. This can be added back at a later if needed.– Check if there are any other Oracle variables exist, delete them also.5. Delete the software and icons:Note: These locations depend on the OS or whether it is upgraded or this was a fresh install6. After deleting oracle installed file from hard drive, reboot your computer.On Unix/Linux:­This method is not recommended better to use Oracle Universal installer (OUI)rm -rf $ORACLE_HOMErm -rf /etc/ora*rm -rf /path/to/your/oraInventoryrm -f /usr/local/bin/coraenvrm -f /usr/local/bin/oraenvrm -f /usr/local/bin/dbhome

Original Post from Talos Security Author:

Warren Mercer and Paul Rascagneres authored this post. Update 4/24: The C2 section below now includes details around the XOR element of the C2 communication system.

Executive summary

In November 2018, Cisco Talos discovered an attack campaign, called DNSpionage, in which threat actors created a new remote administrative tool that supports HTTP and DNS communication with the attackers’ command and control(C2). Since then, there have been several other public reports of additional DNSpionage attacks, and in January, the U.S. Department of Homeland Security issued an alert warning users about this threat activity.

In addition to increased reports of threat activity, we have also discovered new evidence that the threat actors behind the DNSpionage campaign continue to change their tactics, likely in an attempt to improve the efficacy of their operations. In February, we discovered some changes to the actors’ tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware. In April 2019, we also discovered the actors using a new malware, which we are calling “Karkoff.”

This post will cover the aforementioned DNSpionage updates, the discovery of the Karkoff malware and an analysis of the recent Oilrig malware toolset leak — and how it could be connected to these two attacks.

DNSpionage update

New infection document, same macro

In our previous post concerning DNSpionage, we showed that the malware author used malicious macros embedded in a Microsoft Word document. In the new sample from Lebanon identified at the end of February, the attacker used an Excel document with a similar macro:

Instead of using the .oracleServices directory, which we had previously observed, the attacker uses a .msdonedrive directory and renames the malware “taskwin32.exe.” The scheduled task was also renamed to “onedrive updater v10.12.5.”

Payload

Overview

This new sample is similar to the previous version disclosed in our previous post. The malware supports HTTP and DNS communication to the C2 server. The HTTP communication is hidden in the comments in the HTML code. This time, however, the C2 server mimics the GitHub platform instead of Wikipedia. While the DNS communication follows the same method we described in our previous article, the developer added some new features in this latest version and, this time, the actor removed the debug mode.

We also discovered that the actor added a reconnaissance phase, likely in response to the significant amount of interest in the campaign. This new phase, which is discussed in greater detail below, ensures that the payload is being dropped on specific targets rather than indiscriminately downloaded on every machine. This new tactic indicates an improved level of actor sophistication.

New reconnaissance phase

On the initial execution, the malware drops a Windows batch file (a.bat) in order to execute a WMI command and obtain all the running processes on the victim’s machine:

wmic process list

The malware also identifies the username and computer name of the infected system. Finally, it uses the NetWkstaGetInfo() API with the level 100 to retrieve additional info on the system (this is the 64th number, hex 64 is 100 decimal).

This level returns information about the workstation environment, including platform-specific information, the name of the domain and the local computer, and information concerning the operating system. This information is key to helping the malware select the victims only and attempts to avoid researchers or sandboxes. Again, it shows the actor’s improved abilities, as they now fingerprint the victim.

API and strings obfuscation

In this latest version, the developer split some strings into two parts. The actor attempts to use this technique to “hide” API call and internal strings. This would prevent static string analysis processes.

Below is an example of an API call split. It is in reverse order starting with “rNameA,” followed by “GetUse,” and the offset is also named incorrectly “aRnamea” and “aGetuse” (GetUserNameA()):

Below is an example of an internal string split (.\Configure.txt):

This approach is not particularly sophisticated compared to what we usually observe. However, it is enough to break a Yara rule based on these strings. For example, the following rule would no longer alert due to a failed pattern match:

rule DNSpionage { strings: $conf="Configure.txt" condition: All of them }

Let’s check your anti-virus

The malware searches for two specific anti-virus platforms: Avira and Avast.

If one of these security products is installed on the system and identified during the reconnaissance phase, a specific flag will be set and some options from the configuration file will be ignored.

DNSpionage Excel maldoc

This new sample of DNSpionage has some oddities which we believe might be the actor’s attempt to taunt or poke fun at the research community. We occasionally see this in cases where actors are disclosed by researchers or vendors. In DNSpionage, upon opening the Excel document, users are greeted with the insult, “haha you are donkey [sic].” The broken English suggests the actor is unlikely a native English speaker.

The domain used for the C2 is also bizarre. The previous version of DNSpionage attempted to use legitimate-looking domains in an attempt to remain undetected. However, this newer version uses the domain “coldfart[.]com,” which would be easier to spot than other APT campaigns which generally try to blend in with traffic more suitable to enterprise environments. The domain was also hosted in the U.S., which is unusual for any espionage-style attack. This type of behavior will likely continue to distinguish this actor from more concerning campaigns like Sea Turtle, a separate DNS hijacking campaign we wrote about last week.

Along comes a Karkoff

Payload analysis

In April, Cisco Talos identified an undocumented malware developed in .NET. On the analyzed samples, the malware author left two different internal names in plain text: “DropperBackdoor” and “Karkoff.” We decided to use the second name as the malware’s moniker, as it is less generic. The malware is lightweight compared to other malware due to its small size and allows remote code execution from the C2 server. There is no obfuscation and the code can be easily disassembled. The malware is a Windows service named “MSExchangeClient:”

From an incident response point of view, it’s interesting to note that the malware generates a log file: C:\Windows\Temp\MSEx_log.txt. The executed commands are stored in this file (xored with ‘M’) with a timestamp. This log file can be easily used to create a timeline of the command execution which can be extremely useful when responding to this type of threat. With this in mind, an organisation compromised with this malware would have the opportunity to review the log file and identify the commands carried out against them.

C2 communication

The C2 servers are hardcoded in the analyzed samples:

The malware uses the domain or the IP address. Karkoff supports HTTP and HTTPS communications.

Karkoff uses base64 encoding to initially obfuscate the C2 communications. This is then further obfuscated by carrying out a XOR function, with a XOR key 70 (decimal).

This is derived from the “DropperBackdoor.constants” value “Constants.k__BackingField = 70;”.

The JSON .NET library is embedded in the malware. This library is used to handle messages from the C2 server. The answer is first decoded (base64) and the commands match the following pattern:

[{"ID": "123", "Data": "filename.exe|base64PEContent", "Type": "101"}, {"ID": "124", "Data": "filename.exe arg1 arg2", "Type": "102"}].

The command type 101 means that the data will be a base64 encoded file. The file will be stored with the filename placed before the pipe (filename.exe in our example). The command type 102 is the command line to be executed is stored in the data field.

Links between DNSpionage and Karkoff

We identified infrastructure overlaps in the DNSpionage and the Karkoff cases. One of the Karkoff C2 servers is rimrun[.]com. Here is the history of the IPs behind this domain:

108.62.141[.]247 -> from 12/19/18 to 4/13/19

209.141.38[.]71 -> on 12/26/18

107.161.23[.]204 -> on 12/26/18

192.161.187[.]200 -> on 12/26/18

The following IPs have links to our original DNSpionage blog post:

107.161.23[.]204 was used by 0ffice360[.]com on 9/21/18

209.141.38[.]71 was used by hr-wipro[.]com on 9/26/18

192.161.187[.]200 was used by 0ffice360[.]com on 9/21/18

These dates also match the timeline of observed attacks during the DNSpionage campaign. Based on these overlaps in IP usage during the same time period, we have high confidence the same actor uses the Karkoff and DNSpionage samples.

Alleged Oilrig leak links

An alleged Oilrig leak appeared online on April 18. Information from the leak provides a weak link between Oilrig and the DNSpionage actors based on similar URL fields. While not definitive, it is an interesting data point to share with the research community.

The leak contains a webmask_dnspionage repository. This repository contains scripts used to perform man-in-the-middle attacks, but nothing about the DNSpionage or Karkoff C2 panels. However, the screenshots showed a URL that attracted our attention:

We identified the C2 panel as “Scarecrow,” but we did not identify references to this panel in the leak. The victims in this screenshot are mainly from Lebanon, which is one of the areas targeted by DNSpionage and Karkoff. The URL provides some other relevant information:

The URL contains the /Th!swasP@NEl directory. After our first publication, LastLine published a blog post explaining that the actor made some mistakes in their Django configuration:

You can see the content of the PANEL_PATH variable of the DNSpionage C2 server: /Th!sIsP@NeL. The panel path of the leak and Django internal variables of the DNSpionage C2 server are very similar: /Th!swasP@NEl and /Th!sIsP@NeL. While this single panel path is not enough to draw firm conclusions, it is worth highlighting for the security research community as we all continue to investigate these events.

Conclusion

The threat actor’s ongoing development of DNSpionage malware shows that the attacker continues to find new ways to avoid detection. The oddities we mentioned are certainly not normal, but the payload was clearly updated to attempt to remain more elusive. DNS tunneling is a popular method of exfiltration for some actors and recent examples of DNSpionage show that we must ensure DNS is monitored as closely as an organization’s normal proxy or weblogs. DNS is essentially the phonebook of the internet, and when it is tampered with, it becomes difficult for anyone to discern whether what they are seeing online is legitimate. The discovery of Karkoff also shows the actor is pivoting and is increasingly attempting to avoid detection while remaining very focused on the Middle Eastern region. Cisco Talos will continue to monitor for activity from this actor and ensure our protection and detection capabilities continue to prevent such advanced attacks on our customers.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. Below is a screenshot showing how AMP can protect customers from this threat.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of Compromise (IOCs)

The following IOCs are associated to this campaign:

DNSpionage XLS document

2fa19292f353b4078a9bf398f8837d991e383c99e147727eaa6a03ce0259b3c5 (SHA256)

DNSpionage sample

e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8 (SHA256)

Karkoff samples

5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11 b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04 cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5

C2 server

coldfart[.]com rimrun[.]com kuternull[.]com

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: DNSpionage brings out the Karkoff Original Post from Talos Security Author: Warren Mercer and Paul Rascagneres authored this post.Update 4/24: The C2 section below now includes details around the XOR element of the C2 communication system.