DNSpionage Targets Middle East
(Nov 27, 2018)
A new campaign has been identified to be targeting Lebanon and the United Arab Emirates .gov domains and a Lebanese airline company, according to Cisco Talos researchers. The unknown threat actors behind this campaign are targeting users of said websites with Microsoft Office documents that contain a malicious macro. The actors attempt to compromise the website visitors, or individuals deemed as targets, by creating domains that impersonated the authentic ones or potentially distributing spear phishing emails. These actor-created websites hosted a document that is a copy of a genuine document that is provided by the Canadian energy company “Suncor Energy” that contains a malicious macro. The document requests the user to “Enable Content,” which will cause a macro to launch when the document is closed that creates a scheduled task for the dropped Remote Access Tool (RAT) payload called “DNSpionage.” The link for the document was likely distributed via a spear phishing campaign, but as of this writing researchers are not certain.
Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.