DNSpionage

Description

(Talos) Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it’s clear that this adversary spent time understanding the victims’ network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.

Based on this actor’s infrastructure and TTPs, we haven’t been able to connect them with any other campaign or actor that’s been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling “DNSpionage,” supports HTTP and DNS communication with the attackers.

Talos found a possible relationship between DNSpionage and OilRig, APT 34, Helix Kitten, Chrysene.

Names

Name	Name-Giver
DNSpionage	Talos

Country

• Iran

Sponsor

State-sponsored

Motivation

• Information theft and espionage

First Seen

2019

Observed Sectors

• Aviation
• Government
• Law enforcement
• Telecommunications
• Internet infrastructure

Observed Countries

• Albania
• Cyprus
• Egypt
• Iraq
• Jordan
• Kuwait
• Lebanon
• Libya
• Sweden
• UAE
• USA
• North Africa

Tools

• DNSpionage
• Karkoff

Operations

• 2019-04: DNSpionage brings out the Karkoff https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html

Information

• https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
• https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
• https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/
• https://krebsonsecurity.com/tag/dnspionage/

Other Information

Uuid

bada63ae-9429-4f84-b141-2970799ac9d5

Last Card Change

2020-04-15