Cisco Talos discovered a new malware campaign targeting a commercial Lebanese airline company, as well as United Arab Emirates (UAE) andLebanon government domains.
According to Cisco Talos' findings , the recently observed campaign could not be connected to other threat actors or attacks based on the used infrastructure and its Tactics, Techniques, and Procedures (TTP).
The actor was observed while using maliciously crafted Word and Excel documents powered by macros which would compromise targets visiting two fake job postings websites controlled by the attacker.
The documents used to infect targets drop a new remote administration tool which Cisco Talos namedDNSpionagebecause of its capability of communicating with its masters using a DNS tunneling communication channel.
Moreover, after being dropped on the compromised machine,DNSpionagewill use the Downloads folder as storage for tools and scripts it downloads from the command-and-control (C&C) server, while the Uploads directory is the temporary location for all exfiltrated data.
At the moment, the method used by the threat group to deliver the malicious documents is not known, but the highest chances are that they are part of a spear-phishing campaign or shared on social media platforms.
The threat group usedLet's Encrypt certificates to give legitimacy to their DNS redirect attacksThe actors have also been observed performing DNS redirection attacks targeting private and government domains by pointing the hostnames to IP addresses the threat group controls and using Let's Encrypt security certificates matching the attacked domains.
Even though the rate of success of the actors' DNS redirection attacks is not known, the security impact can be very high considering that the threat group could have intercepted all the traffic going to these domains' servers, from emails and credentials to multi-factor authentication (MFA) codes.
The DNSpionagecampaign targeted both private and government targets, and the threat group behind it "kept up their efforts, launching five attacks so far this year, including one in the past two weeks."
"This is an advanced actor who obviously has their sights set on some important targets, and they don't appear to be letting up any time soon," concluded Cisco Talos.
