A new threat actor is targeting Lebanon and United Arab Emirates (UAE) government domains, as well as a Lebanese airline company, according to Warren Mercer and Paul Rascagneres at Cisco Talos. This group is using two fake job posting websites to deliver malicious Microsoft Office documents.
These documents contain a remote administration tool, dubbed “DNSpionage” by Talos, that communicates with the attackers via HTTP and DNS. The malware can also operate using only DNS, facilitating data exfiltration by avoiding proxies and web filtering.
The threat actor uses infrastructure and TTPs that are unrelated to any other group or campaign. The attackers used the same IP in another campaign to redirect the DNS of legitimate .gov sites and private company domains to attacker-controlled IP addresses. The researchers used DNS exfiltration to identify the location of some of the victims, finding that the DNS queries originated in Lebanon and the UAE. Numerous public sector nameservers in both countries were compromised.
The researchers say that, while the DNS redirection was taking place, the attackers would have been able to intercept all traffic destined for the compromised hostnames. This could have allowed them to harvest email or VPN credentials, or abuse multi-factor authentication.
“It is unclear if these DNS redirection attacks were successful, but the attackers have kept up their efforts, launching five attacks so far this year, including one in the past two weeks,” say Mercer and Rascagneres. “Users should use these campaigns as proof that their endpoint protection as well as the network protection need to be as strong as possible. This is an advanced actor who obviously has their sights set on some important targets, and they don’t appear to be letting up any time soon.”
Another defensive measure that can be implemented is user awareness training. These attackers use social engineering to trick victims into downloading their malware. new-school security awareness training can give employees the ability to recognize and avoid these attacks before falling victim to them.
Talos has the story: https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html