The DNSpionage malware campaign has added a new reconnaissance stage showing that the attackers have become more picky with their targets. New malware dubbed Karkoff is designed to allow them to execute code remotely on compromised hosts. The campaign also uses the Mimikatz credential dumper, various off-the-shelf administration tools, the Bitvise WinSSH SSH server, and the Putty program for SSH tunneling within the same network. As part of the new reconnaissance phase added to the campaign, the malware drops a Windows batch file in order to execute a WMI command and obtain all running processes on the victim’s machine.
Source: https://www.bleepingcomputer.com/news/security/dnspionage-drops-new-karkoff-malware-cherry-picks-its-victims/