Cisco’s Talos security group has discovered a new cyber campaign dubbed “DNSpionage” that targets organizations in the Middle East. The cyber attacks have impacted .gov domains in Lebanon and the United Arab Emirates (UAE), as well as a Lebanese airline company.
“This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros,” Talos stated in a recent report.
The DNSpionage malware supports HTTP and DNS communication with the attackers.
Talso also said that in another separate campaign, attackers used the same IP to redirect DNS traffic of legitimate .gov and private company web domains.
“During each DNS compromise, the actor carefully generated Let’s Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don’t know at this time if the DNS redirections were successful,” Talos added.
Check out the full Talos blog post for more details to include infection vectors, malicious office document, macros used, and detailed analysis on applicable malware and DNS redirection as well.