New cyberespionage campaign launches DNSpionage malware against Middle Eastern targets

  • The campaign appears to be the work of a previously unknown threat group.
  • The malware supports HTTP and DNS communication with the cybercriminals operating the campaign.

A new cyberespionage campaign targeting government and private entities across the Middle East has been discovered by security researchers. The cybercriminals behind the campaign, who appear to be unknown and not linked with any other known threat actors, have already targeted a private Lebanese airline company and government organizations in the UAE.

The malware deployed in the campaign, dubbed DNSpionage, supports HTTP and DNS communication with the cybercriminals operating the campaign. The campaign makes use of two malicious websites that advertised job postings. The malicious links were used to infect victims with malicious Microsoft Word docs that came embedded with macros.

Modus operandi

“The document is a copy of a legitimate file available on the website for Suncor Energy, a Canadian sustainable energy company, and contains a malicious macro,” researchers at Cisco Talos, who identified the new campaign, wrote in a blog. “At this time, we don't know how the target received these links. The attackers most likely sent the malicious document via email as part of a spear-phishing campaign, but it also could have circulated via social media platforms, such as LinkedIn, in an attempt to legitimize the opportunity for a new job.”

DNSpionage is an undocumented remote administrative tool and supports DNS-only mode. Using DNS can allow attackers to communicate with infected systems with ease, while ensuring that they remain undetected.

The researchers believe that the attacker has likely been active in the region, given the group’s understanding of the specific domains and certificates required to carry out the campaign. The same attackers are also believed to have been involved in a DNS redirection campaign, which also targeted entities in the Middle East.

Who is responsible?

“We are highly confident that both of these campaigns came from the same actor. However, we do not know much about the location of the actors and their exact motivations. It is clear that this threat actor was able to redirect DNS from government-owned domains in two different countries over the course of two months, as well as a national Lebanese airline,” Cisco Talos researchers added. “They were able to work from the system's point of view by using a Windows malware, as well as the network, by using DNS exfiltration and redirection.”

Although it is still unclear whether the campaigns launched by the cybercriminals were successful, researchers observed that the attackers have continued with their efforts. The threat actor has so far, launched five attacks in 2018, one of which was observed earlier this month.

“This is an advanced actor who obviously has their sights set on some important targets, and they don't appear to be letting up any time soon,” the researchers said.

Cyware Publisher