A previously unknown hacker group is targeting organizations in the United Arab Emirates and Lebanon in a campaign involving the use of fake job websites to drop malware on victim systems.
The campaign appears to be targeted at specific organizations in the two countries but the motives behind it remain somewhat unclear, Cisco's Talos threat intelligence group said in a report Monday. The attackers also have been attempting to redirect the DNS traffic of legitimate .gov and private company domains in the UAE and Lebanon. One of those targeted was Middle East Airlines, a private Lebanese airline company.
Paul Rascagneres, security researcher at Talos, says it's unclear how the attackers might have compromised nameservers belonging to the targeted entities for DNS redirection.
Talos is also not sure if the DNS redirection attempts were in fact successful. As with the malware campaign, the motives behind the redirection efforts are not completely obvious though data exfiltration is likely one reason for both campaigns. Talos named the malware in the campaign as DNSpionage.
"It's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks," the Talos report noted.
The new campaign is the second in recent months targeting Middle East organizations and is a sign of the recently heightened interest in the region among cyberattackers. In September, Check Point reported on new surveillance attacks on law enforcement and other organizations in Palestine and other Middle East regions by a group known as Big Bang.
A Siemens report from earlier this year described organizations in the oil and gas sectors in the Middle East particularly as being the most aggressively targeted in the world. Half of all cyberattacks in the region are targeted at companies in these two sectors. According to Siemens, a startling 75% or organizations in these sectors have been involved in at least one recent cyberattack that either disrupted their OT network or led to confidential data loss.
With the latest campaign, the infrastructure and the tactics, techniques and procedures that the threat actor is using are not something that Talos has been able to connect with any previously known group.
DNSpionage malware is being distributed via Microsoft Office documents hosted on two malicious websites designed to look like the jobs listing pages of two legitimate companies—Wipro and Suncor Energy. The hosted document is a copy of a legitimate file on Suncor's site
The malicious documents contain macros which when run drop DNSpionage on the target system. The malware is a Remote Access Trojan that supports HTTP and DNS communication with the attackers, and gets executed when the Microsoft Office document is closed. It appears designed to extract data from the compromised system and send it to the command and control system.
Rascagneres says the attackers appear to be using spear-phishing emails or social media contact to distribute links to the two malicious sites from where DNSpionage is being distributed.
Traffic Redirection Attacks
One of the IPs linked to the DNSpionage campaign was also used in DNS redirection attacks targeting multiple public sector organizations in the UAE and Lebanon between September and November. Hostnames under the control of these organizations were briefly redirected to the rogue IP for reasons that are not fully clear.
In each case, before the redirection occurred, the attackers created a certificate matching the targeted organization's domain name using certificates from Let's Encrypt, a provider of free X.509 certificates for TLS.
"The actor most likely used LE certificates as they are free," Rascagneres says. The certificates do not cause self-signed errors like other certificates do and are trusted by browsers. There are multiple reasons why the threat actor might be using the certificates. One example: to enable man-in-the-middle attacks, Rascagneres says.
The redirection attempts are noteworthy because the attackers appear to have been able to intercept all traffic - including email and VPN traffic - headed toward the compromised sites. This means if the redirection was successful, the attackers would have had a way to access additional information like email and VPN credentials, Talos said in its report.
Talos says it does not know how successful the DNS redirection attacks were. But the attacks have not stopped trying. So far this year, they have launched five DNS redirection attacks, the most recent of which was just two weeks ago, Talos said.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.